Log4Shell doesn't *look* like it affects Perl's Log::Log4perl according to Mark Gardner. But it is unclear to me still whether Log::Log4perl makes calls to the Java API of log4j (dangerous, at least until log4j is code-reviewed properly and superfluous and lethal enhancements are removed) or implements/emulates most of them (obviously not the remote code execution via JNDI) in pure Perl (not dangerous for JNDI injections). The author says: ... Log::Log4perl is different. It is a pure Perl port of the widely popular Apache/Jakarta log4j library [3] for Java. I do take their word but I am unable to say anything from just reading the source code. I can't understand it. Can anyone shed some light?

So, bottomline is: Log4Shell doesn't *look* like it affects Perl's Log::Log4perl but can anyone explain why?

bw, bliako

p.s. Tangentially: I always thought superfluous enhancements is bad for open source software, starting from gcc's verbal diarrhea, to colour output to most linux commands, to getting unicode (e.g. left-right quotes, ellipses) from the output of linux commands (and even systemd, possibly kernel messages, linux startup messages are full of them). Anyway, this p.s. is for spending my rant-stash for 2021.