Hello, everyone!
I’ve been working on cleaning out old versions of Log4j on my servers, and I just discovered that the latest Geoserver “Platform Independent Binary” (v2.23.1) is still shipping with log4j 1.2 bundled in, even though it also includes log4j 2.17.2 and the bridge configuration. I’m guessing this may be some kind of packaging error; deleting the old log4j 1.2 jar does not seem to have interfered with the operation of my instance.
I tried to access the issue tracker to see if anyone else had reported this, but I had trouble getting in – apologies if I made a newbie error somewhere, or if I’m misunderstanding what I’m seeing. In any case, I just thought someone in the community might want to know about this!
And here’s some evidence to demonstrate what I’m seeing – my command line from this morning when I downloaded a fresh .zip file and confirmed that the extra log4j jar still seems to be in there:
$ wget https://sourceforge.net/projects/geoserver/files/GeoServer/2.23.1/geoserver-2.23.1-bin.zip
[…]
2023-06-20 07:40:06 (3.67 MB/s) - ‘geoserver-2.23.1-bin.zip’ saved [119749074/119749074]
$ unzip -l geoserver-2.23.1-bin.zip | grep log4j
302511 05-04-2022 12:29 webapps/geoserver/WEB-INF/lib/log4j-api-2.17.2.jar
1811089 05-04-2022 12:29 webapps/geoserver/WEB-INF/lib/log4j-core-2.17.2.jar
303443 05-04-2022 14:30 webapps/geoserver/WEB-INF/lib/log4j-1.2-api-2.17.2.jar
30948 05-04-2022 13:17 webapps/geoserver/WEB-INF/lib/log4j-jul-2.17.2.jar
12844 05-04-2022 12:29 webapps/geoserver/WEB-INF/lib/log4j-jcl-2.17.2.jar
24248 05-04-2022 13:21 webapps/geoserver/WEB-INF/lib/log4j-slf4j-impl-2.17.2.jar
302511 05-04-2022 12:29 lib/log4j-api-2.17.2.jar
1811089 05-04-2022 12:29 lib/log4j-core-2.17.2.jar
303443 05-04-2022 14:30 lib/log4j-1.2-api-2.17.2.jar
30948 05-04-2022 13:17 lib/log4j-jul-2.17.2.jar
12844 05-04-2022 12:29 lib/log4j-jcl-2.17.2.jar
24248 05-04-2022 13:21 lib/log4j-slf4j-impl-2.17.2.jar
489884 05-04-2020 06:46 lib/log4j-1.2.17.jar
289 05-04-2023 12:28 resources/log4j.properties
I hope this is helpful!
- Demian