Thank you for the fast response. On Fri, Dec 10, 2021 at 11:35 AM Gian Merlino <g...@apache.org> wrote:
> We're working on this right now and will be getting a vote / release for > 0.22.1 out asap. > > Btw, the log4j announcement mentions a mitigation that does work for our > current version (2.8.2). It's part (b) here, specifying "%m{nolookups}" in > the PatternLayout configuration: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread_bfnl1stql187jytr0t5k0hv0go6b76g4&d=DwIFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=SuBO953fsmU44ZHE0kwkYBIV-hvc-I5wqLvTFRA4RyA&m=gSJrS9K_MvHCpvyQVGe6FxHPFR1dN56YiTbzDAVkNqc&s=qpDSWATFc6fc441gjKMF6hgdvcZJKCTNltN5EolGlwo&e= > . However, > I haven't personally tested this, so I cannot provide any more details > beyond pointing to the announcement. > > On Fri, Dec 10, 2021 at 10:27 AM Lucas Capistrant < > capistrant.lu...@gmail.com> wrote: > > > Since it is “critical” severity, I think it would be a good idea to > > seriously consider pushing out a minor version of 0.22.x. Especially > since > > the mitigation strategy outlined in the CVE is not available in the log4j > > version that exists today in the current stable release. There is past > > precedent for such releases: see 0.20.2 > > > > On Fri, Dec 10, 2021 at 12:14 PM Eyal Yurman <eyurma...@yahooinc.com > > .invalid> > > wrote: > > > > > Hello, regarding > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12051&d=DwIFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=SuBO953fsmU44ZHE0kwkYBIV-hvc-I5wqLvTFRA4RyA&m=gSJrS9K_MvHCpvyQVGe6FxHPFR1dN56YiTbzDAVkNqc&s=WGWSrb1gDnt3pidi5VPE0ibY1jS_KC7J9n56Bm7YPOU&e= > which merged > > > to > > > master, > > > > > > Is it a common practice for the project to backport and release a new > > minor > > > for the latest version? > > > > > >