I started a release vote an hour ago. If you want to use the patched version soon, please help with reviewing the release :)
On Fri, Dec 10, 2021 at 12:22 PM Eyal Yurman <[email protected]> wrote: > Thank you for the fast response. > > On Fri, Dec 10, 2021 at 11:35 AM Gian Merlino <[email protected]> wrote: > > > We're working on this right now and will be getting a vote / release for > > 0.22.1 out asap. > > > > Btw, the log4j announcement mentions a mitigation that does work for our > > current version (2.8.2). It's part (b) here, specifying "%m{nolookups}" > in > > the PatternLayout configuration: > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread_bfnl1stql187jytr0t5k0hv0go6b76g4&d=DwIFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=SuBO953fsmU44ZHE0kwkYBIV-hvc-I5wqLvTFRA4RyA&m=gSJrS9K_MvHCpvyQVGe6FxHPFR1dN56YiTbzDAVkNqc&s=qpDSWATFc6fc441gjKMF6hgdvcZJKCTNltN5EolGlwo&e= > > . However, > > I haven't personally tested this, so I cannot provide any more details > > beyond pointing to the announcement. > > > > On Fri, Dec 10, 2021 at 10:27 AM Lucas Capistrant < > > [email protected]> wrote: > > > > > Since it is “critical” severity, I think it would be a good idea to > > > seriously consider pushing out a minor version of 0.22.x. Especially > > since > > > the mitigation strategy outlined in the CVE is not available in the > log4j > > > version that exists today in the current stable release. There is past > > > precedent for such releases: see 0.20.2 > > > > > > On Fri, Dec 10, 2021 at 12:14 PM Eyal Yurman <[email protected] > > > .invalid> > > > wrote: > > > > > > > Hello, regarding > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12051&d=DwIFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=SuBO953fsmU44ZHE0kwkYBIV-hvc-I5wqLvTFRA4RyA&m=gSJrS9K_MvHCpvyQVGe6FxHPFR1dN56YiTbzDAVkNqc&s=WGWSrb1gDnt3pidi5VPE0ibY1jS_KC7J9n56Bm7YPOU&e= > > which merged > > > > to > > > > master, > > > > > > > > Is it a common practice for the project to backport and release a new > > > minor > > > > for the latest version? > > > > > > > > > >
