Thanks Brent! Unfortunately, we cannot have 1.0.3, right now, since there are some changes between 1.0.2 and the current master not end-to-end verified. The thing is that even though we have the 1.0.3 version, Helix users are on 0.8 or 0.9 not able to use them because of the backward incompatibility in the major version. We may start the progress early next year.
Thanks for your contribution! Best, Junkai On Mon, Dec 20, 2021 at 8:58 AM Brent <[email protected]> wrote: > (I joined in the discussion on the ZK list, thanks Patrick, though I know > that comment is targeted more at the core Helix team than myself) > > I had a mis-step last week in determining which set of logging dependencies > to use, but I think the PR is up-to-date and correct now: > https://github.com/apache/helix/pull/1922 > > All the tests ran successfully and all my spot testing of command line > tools like the agent and controller seem to be behaving properly. > Obviously any independent verification other folks are able to do would be > super helpful. > > Assuming this all looks good and gets merged, will it be feasible to cut a > new 1.0.3 release or at least make a new tag in GitHub? This is almost > more of a "hotfix" type situation, so I'm not sure how you all normally > handle that sort of thing. From my standpoint, I think it'd be really > useful if there were a way for Helix customers to easily get their hands on > a mitigated version. I know I personally am having to custom patch this in > my environment currently, so being able to use an "official" release would > make my life way easier. > > On a side note, a Log4j 2.17.0 was just released, so we may also want to > consider updating the PR from 2.16.0 too, which should be pretty easy. > > Thanks for your time and help! > > ~Brent > > On Thu, Dec 16, 2021 at 3:53 PM Patrick Hunt <[email protected]> wrote: > > > The ZK community has been discussing where to go wrt log4j/... -- as a > > "customer" if you have any insights it would be good for you to weigh in. > > Perhaps help out with testing early rcs and any downstream impact. > > > > Regards, > > > > Patrick > > > > On Thu, Dec 16, 2021 at 2:24 PM Hunter Lee <[email protected]> wrote: > > > > > Thanks Brent for a quick turnaround. > > > > > > With Helix we find that laptops aren't usually powerful enough to run > > > tests. But around last year we started looking at GitHub CI for testing > > > results for testing consistency. > > > > > > Seems that the test is still running, so let's wait this out and see > what > > > we get. > > > > > > Hunter > > > > > > On Thu, Dec 16, 2021 at 5:17 PM Junkai Xue <[email protected]> wrote: > > > > > > > Thanks Brent! Right, I was commenting on your PR with that. Maybe we > > need > > > > to run the patch you provided to double verify it before merging. > > > > Anyway, thanks for contributing to this! > > > > > > > > Best, > > > > > > > > Junkai > > > > > > > > On Thu, Dec 16, 2021 at 2:11 PM Brent <[email protected]> > > wrote: > > > > > > > > > I'm sure you all saw the notifications, but I pushed a PR for this > at > > > > > https://github.com/apache/helix/pull/1922 > > > > > > > > > > I describe some of this in the PR, but the changes rippled out a > > little > > > > > further than I thought, partly due to the Zookeeper dependency > still > > > > > bringing in vulnerable versions and partly due to a few places in > > code > > > > > referencing Log4j 1.x APIs/packages/classes directly. > > > > > > > > > > My main concern, other than the magnitude of the change, is that I > > > > > successfully ran all of the tests except helix-core. All of the > > > > helix-core > > > > > tests succeeded up until the last 150 or so when I started getting > > out > > > of > > > > > memory errors, e.g.: > > > > > [ERROR] Failures: > > > > > [ERROR] TestConfigAccessor.testBasic:50 » OutOfMemory unable to > > > create > > > > > new native thre... > > > > > [ERROR] TestConfigAccessor.testDeleteCloudConfig:329 » > OutOfMemory > > > > unable > > > > > to create ne... > > > > > [ERROR] TestConfigAccessor.testSetRestConfig:219 » OutOfMemory > > unable > > > > to > > > > > create new na... > > > > > > > > > > I can't tell if that's just my laptop or if it's a legitimate > problem > > > > > introduced by this change, so any independent verification (maybe > the > > > PR > > > > > hooks already do this) would be greatly appreciated. I'm going to > > try > > > to > > > > > test this in one of our dev environments, but would it would be > great > > > if > > > > > someone else could independently verify too. > > > > > > > > > > Thanks! > > > > > > > > > > ~Brent > > > > > > > > > > On Wed, Dec 15, 2021 at 11:01 AM Hunter Lee <[email protected]> > > > wrote: > > > > > > > > > > > Thanks Brent. We'll keep an eye out for it. > > > > > > > > > > > > Hunter > > > > > > > > > > > > On Wed, Dec 15, 2021 at 12:42 AM Brent < > [email protected]> > > > > > wrote: > > > > > > > > > > > > > I filed this issue so we have something to track: > > > > > > > https://github.com/apache/helix/issues/1921 > > > > > > > > > > > > > > I'm attempting to get Log4J 2.16.x building and running > properly > > > > > locally. > > > > > > > I will submit a PR if I can get it working. > > > > > > > > > > > > > > Thanks! > > > > > > > > > > > > > > On Tue, Dec 14, 2021 at 8:40 AM Brent < > [email protected] > > > > > > > > wrote: > > > > > > > > > > > > > > > Thanks Hunter, much appreciated! I will try to put together > a > > > > patch > > > > > > with > > > > > > > > what I've done for remediation elsewhere (good news is it's > not > > > > much > > > > > > > since > > > > > > > > Helix still inherits Log4J 1.x). If you wouldn't mind, I > might > > > > also > > > > > > file > > > > > > > > an issue to consider upgrading to Log4J 2.16.x that was just > > > pushed > > > > > > out ( > > > > > > > > > > https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4 > > > ). > > > > > > That > > > > > > > > one will require some more thought to make sure things don't > > > break > > > > I > > > > > > > > suspect. > > > > > > > > > > > > > > > > ~Brent > > > > > > > > > > > > > > > > On Mon, Dec 13, 2021 at 1:42 PM Hunter Lee < > [email protected] > > > > > > > > wrote: > > > > > > > > > > > > > > > >> This is being discussed. Feel free to post a patch if you're > > > > > > interested > > > > > > > >> (but do let us know so there's no duplicate effort being > made > > > > here). > > > > > > > >> > > > > > > > >> On Fri, Dec 10, 2021 at 1:33 PM Brent < > > > [email protected]> > > > > > > > wrote: > > > > > > > >> > > > > > > > >> > [Feel free to take this offline or out-of-band if this is > an > > > > > > > >> inappropriate > > > > > > > >> > place to discuss this] > > > > > > > >> > > > > > > > > >> > Is there any hotfixing planned as a result of the Log4J > zero > > > day > > > > > > going > > > > > > > >> > around? > > > > > > > >> > > > > > > > > >> > Reference: > https://www.lunasec.io/docs/blog/log4j-zero-day/ > > > > > > > >> > CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > > > > > > > >> > > > > > > > > >> > From what I can tell, Helix seems to be building with > > > > > > > >> > > > > > https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.14 > > > > > > > >> which in > > > > > > > >> > turn maps to > > > > > https://mvnrepository.com/artifact/log4j/log4j/1.2.17 > > > > > > > >> > > > > > > > > >> > The exploit is more prevalent in the 2.x versions of > Log4J, > > > but > > > > > > there > > > > > > > >> are > > > > > > > >> > scenarios where 1.x is exploitable and it's been pointed > out > > > > that > > > > > > 1.x > > > > > > > is > > > > > > > >> > also end of life and has other vulnerabilities. > > > > > > > >> > > > > > > > > >> > See: > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > > > https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 > > > > > > > >> > > > > > > > > >> > Thanks! > > > > > > > >> > > > > > > > > >> > ~Brent > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- Junkai Xue
