Thanks a lot for forking the project.

I noticed there is another known “open issue” which has no CVE assigned, but given that the other CVEs expect untrusted config entries, it might be in scope as well?

Apache claims that the XML parser is vulnerable to external includes (xxe, billion laughters, ssrf). Should we enable secure processing and restrict remote protocols? If so.. should we do it unconditional or with a system property in case someone used really an external entity?

From the website:

Other issues of note

Log4j 1 doesn't restrict DTD entities in log4j.xml. Users should be careful to ensure any entities specified are correct and secure.

BTW I mentioned on Twitter the RedHat backports, it looks like all of them are addressed in reload4j (some slightly different), they can be seen here for example https://git.centos.org/rpms/log4j/commits/c7