We're working on this right now and will be getting a vote / release for
0.22.1 out asap.
Btw, the log4j announcement mentions a mitigation that does work for our
current version (2.8.2). It's part (b) here, specifying "%m{nolookups}" in
the PatternLayout configuration:
https://lists.apache.org/thread/bfnl1stql187jytr0t5k0hv0go6b76g4. However,
I haven't personally tested this, so I cannot provide any more details
beyond pointing to the announcement.
On Fri, Dec 10, 2021 at 10:27 AM Lucas Capistrant <
capistrant.lu...@gmail.com> wrote:
> Since it is “critical” severity, I think it would be a good idea to
> seriously consider pushing out a minor version of 0.22.x. Especially since
> the mitigation strategy outlined in the CVE is not available in the log4j
> version that exists today in the current stable release. There is past
> precedent for such releases: see 0.20.2
>
> On Fri, Dec 10, 2021 at 12:14 PM Eyal Yurman <eyurma...@yahooinc.com
> .invalid>
> wrote:
>
> > Hello, regarding https://github.com/apache/druid/pull/12051 which merged
> > to
> > master,
> >
> > Is it a common practice for the project to backport and release a new
> minor
> > for the latest version?
> >
>
