CVE-2021-44228 may affect legacy (pre 1.7) clients via LegacyLauncher

LegacyLauncher aka legacywrapper uses a vulnerable version of log4j, to my understanding the games logs are routed through it, so this may make Minecraft versions before Release 1.7 vulnerable to the recently disclosed & fixed exploit that affected 1.7+.

This should only affect legacy clients, servers will be unaffected.

I've noticed someone has opened a pull request around this exploit, so you may be able to merge this.

https://github.com/Mojang/LegacyLauncher/pull/34

ps: it'd be neat if you reviewed the other PRs while there