apache#1403 - Downgrade log4j2 to Storm's version. Fixes apache#1403

tballison · Nov 13, 2024 · a53c878 · a53c878
1 parent f53e89a
commit a53c878
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/THIRD-PARTY.txt b/THIRD-PARTY.txt
@@ -66,9 +66,10 @@ List of third-party dependencies grouped by their license type.
         * Apache James :: Mime4j :: Core (org.apache.james:apache-mime4j-core:0.8.11 - http://james.apache.org/mime4j/apache-mime4j-core)
         * Apache James :: Mime4j :: DOM (org.apache.james:apache-mime4j-dom:0.8.11 - http://james.apache.org/mime4j/apache-mime4j-dom)
         * Apache JempBox (org.apache.pdfbox:jempbox:1.8.17 - http://www.apache.org/pdfbox-parent/jempbox/)
-        * Apache Log4j API (org.apache.logging.log4j:log4j-api:2.24.1 - https://logging.apache.org/log4j/2.x/log4j/log4j-api/)
-        * Apache Log4j Core (org.apache.logging.log4j:log4j-core:2.24.1 - https://logging.apache.org/log4j/2.x/log4j/log4j-core/)
+        * Apache Log4j API (org.apache.logging.log4j:log4j-api:2.23.0 - https://logging.apache.org/log4j/2.x/log4j/log4j-api/)
+        * Apache Log4j Core (org.apache.logging.log4j:log4j-core:2.23.0 - https://logging.apache.org/log4j/2.x/log4j/log4j-core/)
         * Apache Log4j JUL Adapter (org.apache.logging.log4j:log4j-jul:2.21.0 - https://logging.apache.org/log4j/2.x/log4j/log4j-jul/)
+        * Apache Log4j SLF4J Binding (org.apache.logging.log4j:log4j-slf4j-impl:2.23.0 - https://logging.apache.org/log4j/2.x/log4j/log4j-slf4j-impl/)
         * Apache Lucene (module: backward-codecs) (org.apache.lucene:lucene-backward-codecs:9.11.1 - https://lucene.apache.org/)
         * Apache Lucene (module: common) (org.apache.lucene:lucene-analysis-common:9.11.1 - https://lucene.apache.org/)
         * Apache Lucene (module: core) (org.apache.lucene:lucene-core:9.11.1 - https://lucene.apache.org/)
@@ -251,7 +252,6 @@ List of third-party dependencies grouped by their license type.
         * rome-utils (com.rometools:rome-utils:2.1.0 - http://rometools.com/rome-utils)
         * server (org.opensearch:opensearch:2.17.0 - https://github.com/opensearch-project/OpenSearch.git)
         * Shaded Deps for Storm Client (org.apache.storm:storm-shaded-deps:2.7.0 - https://storm.apache.org/storm-shaded-deps)
-        * SLF4J 1 Binding for Log4j API (org.apache.logging.log4j:log4j-slf4j-impl:2.24.1 - https://logging.apache.org/log4j/2.x/log4j/log4j-slf4j-impl/)
         * SnakeYAML (org.yaml:snakeyaml:2.3 - https://bitbucket.org/snakeyaml/snakeyaml)
         * snappy-java (org.xerial.snappy:snappy-java:1.1.10.4 - https://github.com/xerial/snappy-java)
         * sniffer (org.opensearch.client:opensearch-rest-client-sniffer:2.17.0 - https://github.com/opensearch-project/OpenSearch.git)

diff --git a/pom.xml b/pom.xml
@@ -70,7 +70,7 @@ under the License.
 		<tika.version>3.0.0</tika.version>
 		<mockito.version>5.14.2</mockito.version>
 		<jetbrains.annotations.version>26.0.1</jetbrains.annotations.version>
-		<log4j2.version>2.24.1</log4j2.version>
+		<log4j2.version>2.23.0</log4j2.version>
 		<commons.io.version>2.14.0</commons.io.version>
 		<git-code-format-maven-plugin.version>5.3</git-code-format-maven-plugin.version>
 		<testcontainers.version>1.20.3</testcontainers.version>
@@ -412,8 +412,13 @@ under the License.
 							<rules>
 								<bannedDependencies>
 									<excludes>
-										<exclude>
-											org.apache.logging.log4j:log4j-core:(,2.17.0)</exclude>
+										<exclude>org.apache.logging.log4j:log4j-core:(,2.17.0)</exclude>
+										<!--
+                      https://github.com/apache/logging-log4j2/issues/3143
+                      https://github.com/apache/logging-log4j2/issues/3196
+                     -->
+										<exclude>org.apache.logging.log4j:log4j-core:[2.24.1]</exclude>
+										<exclude>org.apache.logging.log4j:log4j-api:[2.24.1]</exclude>
 									</excludes>
 								</bannedDependencies>
 							</rules>