[slf4j-dev] Outdated log4j dependency

Florian Pöhr florian.poehr at nomapo.com
Fri Jul 16 10:29:00 CEST 2021 

Hello Ralph,

thanks a lot for the quick reply!

I agree that using Log4j 2 would be a better idea. Unfortunately it is 
not me using slf4j-log4j12.jar but another project I am dependent upon 
(https://github.com/dcm4che/dcm4che to be precise). So this decision is 
out of my hand.

I only now understood, that the name slf4j-log4j12.jar probably points 
to log4j version 1.2.x and this dependency will therefore never be 
updated to a newer log4j version. I somehow got the impression from the 
docu (http://www.slf4j.org/manual.html) that this is the standard way to 
add log4j (and hence the question why such an old version of log4j is 
used in that case).

Thanks a lot and have a great weekend,

Florian

Am 16.07.2021 um 09:46 schrieb Ralph Goers:
> The SLF4J API does not have a dependency on any logging implementation, including log4j 1.2. If you do not want the binding to log4j 1.2 simply do not include the slf4j-log4j12 jar.
>
> Log4j 2 provides the binding between the SLF4J API and Log4j’s API. This is done by including the log4j-slf4j or log4j-slf4j18 jars provided by Log4j 2. Note that while the log4j-slf4j18 jar will provide some compatibility with slf4j-2.0, a new bridge will be required to fully support it as there are new classes in SLF4J 2.0 that must be accessed at compile time to take advantage of those features, and that cannot be done in log4j-slf4j18 without breaking backward compatibility.
>
> FWIW, Log4j 2 also provides the log4j-1.2-api binding which allows the log4j-1.2.17 jar to be removed and routes calls to log4j-1.2 to log4j 2 instead.
>
> Finally, you could use the Log4j 2 API instead of SLF4J if you want. It provides all the features of SLF4J - i.e. it does not lock you into using the Log4j 2 implementation.
>
> Ralph
>
>> On Jul 15, 2021, at 8:34 PM, Florian Pöhr <florian.poehr at nomapo.com> wrote:
>>
>> Dear Slf4j team,
>>
>> I noticed that when using Slf4j with log4j the dependency that gets pulled by Slf4j is outdated (log4j-1.2.17.jar). Log4J 1.2.17 reached end of life in 2015 (see http://logging.apache.org/log4j/1.2/download.html).
>>
>> This leads to the following problems:
>>
>> * Log4J 1.2.17 contains a security vulnerability (see https://nvd.nist.gov/vuln/detail/CVE-2019-17571 )
>> * Log4J 1.2.17 contains a dirty bugfix that messes up the java module system (see https://stackoverflow.com/questions/60130941/resolutionexception-in-java-11 )
>>
>> Therefore I wanted to ask: are there any plans to switch to a newer Log4J 2.x version in the near future? I guess I am not the only one having problems with this dependency.
>>
>> Best regards,
>>
>> Florian Poehr
>>
>> _______________________________________________
>> slf4j-dev mailing list
>> slf4j-dev at qos.ch
>> http://mailman.qos.ch/mailman/listinfo/slf4j-dev
>
> _______________________________________________
> slf4j-dev mailing list
> slf4j-dev at qos.ch
> http://mailman.qos.ch/mailman/listinfo/slf4j-dev

More information about the slf4j-dev mailing list