From e36908cca2f360f322f2fd65b741f778b05a34ba Mon Sep 17 00:00:00 2001
From: Taylor Smock <tsmock@fb.com>
Date: Thu, 16 Dec 2021 14:02:08 -0700
Subject: [PATCH 1/2] Update log4j to 2.17.1 to fix DDOS attacks

Signed-off-by: Taylor Smock <tsmock@fb.com>
---
 build.gradle          |  4 ++--
 dependencies.gradle   | 11 ++++++-----
 gradle/quality.gradle |  4 ++--
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/build.gradle b/build.gradle
index d0c5da5a9d..b63bf7979f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -81,8 +81,8 @@ dependencies
     checkstyle packages.atlas_checkstyle
 
     shaded project.configurations.getByName('compile')
-    shaded packages.slf4j.log4j12
-    shaded packages.log4j
+    shaded packages.log4j.api
+    shaded packages.log4j.slf4j
 
 }
 
diff --git a/dependencies.gradle b/dependencies.gradle
index c56b565ebd..2d9abfaa3e 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -3,8 +3,8 @@ project.ext.versions = [
     junit4: '4.13.1',
     junit5: '5.8.1',
     jacoco: '0.8.3',
-    slf4j: '1.7.12',
-    log4j: '1.2.17',
+    slf4j: '1.7.32',
+    log4j: '2.17.1',
     opencsv: '2.3',
     gson: '2.2.4',
     http: '4.5.1',
@@ -44,10 +44,11 @@ project.ext.packages = [
     ],
     slf4j: [
         api: "org.slf4j:slf4j-api:${versions.slf4j}",
-        simple: "org.slf4j:slf4j-simple:${versions.slf4j}",
-        log4j12: "org.slf4j:slf4j-log4j12:${versions.slf4j}",
     ],
-    log4j: "log4j:log4j:${versions.log4j}",
+    log4j: [
+      api: "org.apache.logging.log4j:log4j:${versions.log4j}",
+      slf4j: "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}",
+    ],
     opencsv: "net.sf.opencsv:opencsv:${versions.opencsv}",
     gson: "com.google.code.gson:gson:${versions.gson}",
     http: "org.apache.httpcomponents:httpclient:${versions.http}",
diff --git a/gradle/quality.gradle b/gradle/quality.gradle
index af6b63e35e..5cef323ad6 100644
--- a/gradle/quality.gradle
+++ b/gradle/quality.gradle
@@ -67,8 +67,8 @@ configurations
 
 dependencies
 {
-    testCompile packages.slf4j.log4j12
-    testCompile packages.log4j
+    testCompile packages.log4j.slf4j
+    testCompile packages.log4j.api
     // Support Junit 5 tests
     testImplementation packages.junit.api
     testRuntimeOnly packages.junit.engine

From e25cae93399b8a8ef6474848e64c2f6ddc07474d Mon Sep 17 00:00:00 2001
From: Taylor Smock <tsmock@fb.com>
Date: Thu, 13 Jan 2022 07:13:43 -0700
Subject: [PATCH 2/2] Gradle: Exclude log4j 1.2.17 from osgeo repo

Signed-off-by: Taylor Smock <tsmock@fb.com>
---
 build.gradle | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index b63bf7979f..8ad889a75f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -26,7 +26,13 @@ targetCompatibility=11
 repositories
 {
     // For geotools
-    maven { url "http://repo.osgeo.org/repository/release/" }
+    maven {
+      url "https://repo.osgeo.org/repository/release/"
+      content {
+        // osgeo removed the jar and added a -norce version
+        excludeVersion("log4j", "log4j", "1.2.17")
+      }
+    }
     mavenCentral()
 }