Re: [E] Re: Log4j vulnerability - hotfix?

Fri, 10 Dec 2021 13:35:29 -0800 

I started a release vote an hour ago. If you want to use the patched
version soon, please help with reviewing the release :)

On Fri, Dec 10, 2021 at 12:22 PM Eyal Yurman <eyurma...@yahooinc.com.invalid>
wrote:

> Thank you for the fast response.
>
> On Fri, Dec 10, 2021 at 11:35 AM Gian Merlino <g...@apache.org> wrote:
>
> > We're working on this right now and will be getting a vote / release for
> > 0.22.1 out asap.
> >
> > Btw, the log4j announcement mentions a mitigation that does work for our
> > current version (2.8.2). It's part (b) here, specifying "%m{nolookups}"
> in
> > the PatternLayout configuration:
> >
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread_bfnl1stql187jytr0t5k0hv0go6b76g4&d=DwIFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=SuBO953fsmU44ZHE0kwkYBIV-hvc-I5wqLvTFRA4RyA&m=gSJrS9K_MvHCpvyQVGe6FxHPFR1dN56YiTbzDAVkNqc&s=qpDSWATFc6fc441gjKMF6hgdvcZJKCTNltN5EolGlwo&e=
> > . However,
> > I haven't personally tested this, so I cannot provide any more details
> > beyond pointing to the announcement.
> >
> > On Fri, Dec 10, 2021 at 10:27 AM Lucas Capistrant <
> > capistrant.lu...@gmail.com> wrote:
> >
> > > Since it is “critical” severity, I think it would be a good idea to
> > > seriously consider pushing out a minor version of 0.22.x. Especially
> > since
> > > the mitigation strategy outlined in the CVE is not available in the
> log4j
> > > version that exists today in the current stable release. There is past
> > > precedent for such releases: see 0.20.2
> > >
> > > On Fri, Dec 10, 2021 at 12:14 PM Eyal Yurman <eyurma...@yahooinc.com
> > > .invalid>
> > > wrote:
> > >
> > > > Hello, regarding
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_druid_pull_12051&d=DwIFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=SuBO953fsmU44ZHE0kwkYBIV-hvc-I5wqLvTFRA4RyA&m=gSJrS9K_MvHCpvyQVGe6FxHPFR1dN56YiTbzDAVkNqc&s=WGWSrb1gDnt3pidi5VPE0ibY1jS_KC7J9n56Bm7YPOU&e=
> > which merged
> > > > to
> > > > master,
> > > >
> > > > Is it a common practice for the project to backport and release a new
> > > minor
> > > > for the latest version?
> > > >
> > >
> >
>

Reply via email to