Scheduling removal of Log4J 1 from ESAPI 2.x

[Kevin W. Wall]

The ESAPI deprecation policy (barring some critical or high vulnerability that has no workaround) is that we will leave the deprecated class or method around until either:

1. The next major release (which would be 3.0.0.0 and it not yet scheduled) OR
2. Two years after the release date in which it was first deprecated.

Since we officially deprecated Log4J 1 in ESAPI version 2.2.1.0 that was released on July 12, 2020, we will be scheduling it for complete removal on or shortly after July 12, 2022 even if it requires a special release to do so.

Please plan accordingly as July is not that far off. (And for us, it can't come too soon! :)

-kevin

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

[Olivier Jaquemet]

Hi all,

 In case you missed this information, you can replace log4j 1.x, in any project without any code change, by using reload4j: a binary compatible distrib maintained by the original author of log4j, without any vulnerabilities.

https://reload4j.qos.ch/

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAOPE6PiZz79Sfwo0AS6kfgmo0ESmaRU6F91-SHYoRYrhGmnjNg%40mail.gmail.com.

[Kevin W. Wall]

Thanks, I wasn't aware of that. It may work for a short term replacement (we'll have to check) until July, but we still are planning to remove it from ESAPI, in part to just reduce the complexity in our code base.

-kevin

[Simon McClenahan]

reload4j seems similar to the slf4j bridge that I have mentioned previously.

https://www.slf4j.org/legacy.html