Thank you for the fast response.
On Fri, Dec 10, 2021 at 11:35 AM Gian Merlino <g...@apache.org> wrote:
> We're working on this right now and will be getting a vote / release for
> 0.22.1 out asap.
>
> Btw, the log4j announcement mentions a mitigation that does work for our
> current version (2.8.2). It's part (b) here, specifying "%m{nolookups}" in
> the PatternLayout configuration:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread_bfnl1stql187jytr0t5k0hv0go6b76g4&d=DwIFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=SuBO953fsmU44ZHE0kwkYBIV-hvc-I5wqLvTFRA4RyA&m=gSJrS9K_MvHCpvyQVGe6FxHPFR1dN56YiTbzDAVkNqc&s=qpDSWATFc6fc441gjKMF6hgdvcZJKCTNltN5EolGlwo&e=
> . However,
> I haven't personally tested this, so I cannot provide any more details
> beyond pointing to the announcement.
>
> On Fri, Dec 10, 2021 at 10:27 AM Lucas Capistrant <
> capistrant.lu...@gmail.com> wrote:
>
> > Since it is “critical” severity, I think it would be a good idea to
> > seriously consider pushing out a minor version of 0.22.x. Especially
> since
> > the mitigation strategy outlined in the CVE is not available in the log4j
> > version that exists today in the current stable release. There is past
> > precedent for such releases: see 0.20.2
> >
> > On Fri, Dec 10, 2021 at 12:14 PM Eyal Yurman <eyurma...@yahooinc.com
> > .invalid>
> > wrote:
> >
> > > Hello, regarding
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12051&d=DwIFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=SuBO953fsmU44ZHE0kwkYBIV-hvc-I5wqLvTFRA4RyA&m=gSJrS9K_MvHCpvyQVGe6FxHPFR1dN56YiTbzDAVkNqc&s=WGWSrb1gDnt3pidi5VPE0ibY1jS_KC7J9n56Bm7YPOU&e=
> which merged
> > > to
> > > master,
> > >
> > > Is it a common practice for the project to backport and release a new
> > minor
> > > for the latest version?
> > >
> >
>
