refs #1 update log4j dep

[lutin11]

This MR fix the CVE-2019-17571

[timewalker74]

Hello,
I'd rather not change dependencies compatibility on the current branch because some users are embedding the server runtime directly in their application code.

Do you really need some log4j2 specific feature or is your goal to get rid of detected CVEs ?
For now, I chose a simpler path which is replacing the log4j dependency by reload4j (which is a binary compatible, maintained fork of log4j 1.x)

Note that the client part of FFMQ is only using the commons-logging facade, which you can adapt to whatever logging backend you need by adding one more wrapper (jcl-over-slf4j)

In the future I may create a new branch to modernize a bit the code :
raise minimum JRE to 8, replace commons-logging by slf4j-api, ...

[lutin11]

Hello, I'd rather not change dependencies compatibility on the current branch because some users are embedding the server runtime directly in their application code.

Do you really need some log4j2 specific feature or is your goal to get rid of detected CVEs ? For now, I chose a simpler path which is replacing the log4j dependency by reload4j (which is a binary compatible, maintained fork of log4j 1.x)

Actualy, I don't need, the goal was just to get rid of teh CVE

Note that the client part of FFMQ is only using the commons-logging facade, which you can adapt to whatever logging backend you need by adding one more wrapper (jcl-over-slf4j)

In the future I may create a new branch to modernize a bit the code : raise minimum JRE to 8, replace commons-logging by slf4j-api, ...

Ok, super !
Thanks for your work