After 2.15.0, all the problems require you manually put some special
markers in the pattern layout in your configuration file, so it is already
less hurt, we do not have something like %m{lookup} in the pattern layout
by default.Anyway, since we haven’t released 3.0.0-alpha-2 yet, let’s upgrade to the newest version. But stay on log4j1 should not be considered as a solution. Log4j1 is already dead long ago and it has several CVEs where no one wants to fix them, and our statement was just ‘do not use the feature’. That’s why we want to migrate to log4j2. Every project may have CVEs, so I think whether there are still enough people who are still maintaining the project is the most important thing. Log4j2 is already the most active logging framework, another option is logback, but there were no releases for nearly 4 years before 2021… Thanks. Let me upgrade the log4j2 to 2.17.0 and send out RC2. Andrew Purtell <apurt...@apache.org>于2021年12月19日 周日05:25写道: > Apologies, I managed to hit the send button before finishing. My veto can > be cured by upgrading Log4J to ** 2.17.0 ** . See > https://logging.apache.org/log4j/2.x/security.html. > > On Sat, Dec 18, 2021 at 1:22 PM Andrew Purtell <apurt...@apache.org> > wrote: > > > -1 (binding) > > > > The Log4J issues are not fixed by 2.15. > > > > I wish we had remained on Log4J 1. Hadoop 3 is still on 1, although I > know > > they have plans to upgrade. It does not seem advisable to use Log4J 2 at > > all actually. Another option that does not include such a dangerous > > reference/rewrite mechanism might be preferable. > > > > On Sat, Dec 18, 2021 at 12:02 PM Josh Elser <els...@apache.org> wrote: > > > >> +1 (binding) > >> > >> * Xsums/sigs good > >> * Can build from source > >> * Log4j 2.15 is included (more on this in the below) > >> * log4j2.formatMsgNoLookups=true is set (multiple times per process, but > >> properly set) > >> * hbase-config.sh issue is fixed over rc1 > >> > >> Best as I've been able to keep up, it seems like we should already > >> upgrade to log4j 2.16 due to issues in 2.15. There are alos rumblings > >> that 2.16 may have issues still. It's my opinion that the changes we > >> have here in rc2 are a massive improvement over before. I think this is > >> fine; I just wanted to acknowledge that we may still need to update > >> again real soon. > >> > >> Thanks for your release manager work, Duo! > >> > >> On 12/14/21 9:06 AM, Duo Zhang wrote: > >> > Please vote on this Apache hbase release candidate, > >> > hbase-3.0.0-alpha-2RC1 > >> > > >> > The VOTE will remain open for at least 72 hours. > >> > > >> > [ ] +1 Release this package as Apache hbase 3.0.0-alpha-2 > >> > [ ] -1 Do not release this package because ... > >> > > >> > The tag to be voted on is 3.0.0-alpha-2RC1: > >> > > >> > https://github.com/apache/hbase/tree/3.0.0-alpha-2RC1 > >> > > >> > This tag currently points to git reference > >> > > >> > a3ff8e4c812eefab6ad32af45ca449a1395a6510 > >> > > >> > The release files, including signatures, digests, as well as > CHANGES.md > >> > and RELEASENOTES.md included in this RC can be found at: > >> > > >> > https://dist.apache.org/repos/dist/dev/hbase/3.0.0-alpha-2RC1/ > >> > > >> > Maven artifacts are available in a staging repository at: > >> > > >> > > >> https://repository.apache.org/content/repositories/orgapachehbase-1473/ > >> > > >> > Artifacts were signed with the 9AD2AE49 key which can be found in: > >> > > >> > https://downloads.apache.org/hbase/KEYS > >> > > >> > 3.0.0-alpha-2 is the second alpha release for our 3.0.0 major release > >> line. > >> > HBase 3.0.0 includes the following big feature/changes: > >> > Synchronous Replication > >> > OpenTelemetry Tracing > >> > Distributed MOB Compaction > >> > Backup and Restore > >> > Move RSGroup balancer to core > >> > Reimplement sync client on async client > >> > CPEPs on shaded proto > >> > Move the logging framework from log4j to log4j2 > >> > > >> > 3.0.0-alpha-2 contains a critical security fix for addressing the > log4j2 > >> > CVE-2021-44228. All users who already use 3.0.0-alpha-1 should upgrade > >> > to 3.0.0-alpha-2 ASAP. > >> > > >> > Notice that this is not a production ready release. It is used to let > >> our > >> > users try and test the new major release, to get feedback before the > >> final > >> > GA release is out. > >> > So please do NOT use it in production. Just try it and report back > >> > everything you find unusual. > >> > > >> > And this time we will not include CHANGES.md and RELEASENOTE.md > >> > in our source code, you can find it on the download site. For getting > >> these > >> > two files for old releases, please go to > >> > > >> > https://archive.apache.org/dist/hbase/ > >> > > >> > To learn more about Apache hbase, please see > >> > > >> > http://hbase.apache.org/ > >> > > >> > Thanks, > >> > Your HBase Release Manager > >> > > >> > > > > > > -- > > Best regards, > > Andrew > > > > Words like orphans lost among the crosstalk, meaning torn from truth's > > decrepit hands > > - A23, Crosstalk > > > > > -- > Best regards, > Andrew > > Words like orphans lost among the crosstalk, meaning torn from truth's > decrepit hands > - A23, Crosstalk >
