That's fair. I understand holding off on the v1.0.3 release. I'll just need to custom build myself a Log4j-patched version to use in the meantime.
Let me know if I can help at all in getting the PR merge into master. Thanks very much and I hope you all have a great holiday season! ~Brent On Mon, Dec 20, 2021 at 12:12 PM Junkai Xue <[email protected]> wrote: > Thanks Brent! Unfortunately, we cannot have 1.0.3, right now, since there > are some changes between 1.0.2 and the current master not end-to-end > verified. The thing is that even though we have the 1.0.3 version, Helix > users are on 0.8 or 0.9 not able to use them because of the backward > incompatibility in the major version. We may start the progress early next > year. > > Thanks for your contribution! > > Best, > > Junkai > > On Mon, Dec 20, 2021 at 8:58 AM Brent <[email protected]> wrote: > > > (I joined in the discussion on the ZK list, thanks Patrick, though I know > > that comment is targeted more at the core Helix team than myself) > > > > I had a mis-step last week in determining which set of logging > dependencies > > to use, but I think the PR is up-to-date and correct now: > > https://github.com/apache/helix/pull/1922 > > > > All the tests ran successfully and all my spot testing of command line > > tools like the agent and controller seem to be behaving properly. > > Obviously any independent verification other folks are able to do would > be > > super helpful. > > > > Assuming this all looks good and gets merged, will it be feasible to cut > a > > new 1.0.3 release or at least make a new tag in GitHub? This is almost > > more of a "hotfix" type situation, so I'm not sure how you all normally > > handle that sort of thing. From my standpoint, I think it'd be really > > useful if there were a way for Helix customers to easily get their hands > on > > a mitigated version. I know I personally am having to custom patch this > in > > my environment currently, so being able to use an "official" release > would > > make my life way easier. > > > > On a side note, a Log4j 2.17.0 was just released, so we may also want to > > consider updating the PR from 2.16.0 too, which should be pretty easy. > > > > Thanks for your time and help! > > > > ~Brent > > > > On Thu, Dec 16, 2021 at 3:53 PM Patrick Hunt <[email protected]> wrote: > > > > > The ZK community has been discussing where to go wrt log4j/... -- as a > > > "customer" if you have any insights it would be good for you to weigh > in. > > > Perhaps help out with testing early rcs and any downstream impact. > > > > > > Regards, > > > > > > Patrick > > > > > > On Thu, Dec 16, 2021 at 2:24 PM Hunter Lee <[email protected]> wrote: > > > > > > > Thanks Brent for a quick turnaround. > > > > > > > > With Helix we find that laptops aren't usually powerful enough to run > > > > tests. But around last year we started looking at GitHub CI for > testing > > > > results for testing consistency. > > > > > > > > Seems that the test is still running, so let's wait this out and see > > what > > > > we get. > > > > > > > > Hunter > > > > > > > > On Thu, Dec 16, 2021 at 5:17 PM Junkai Xue <[email protected]> wrote: > > > > > > > > > Thanks Brent! Right, I was commenting on your PR with that. Maybe > we > > > need > > > > > to run the patch you provided to double verify it before merging. > > > > > Anyway, thanks for contributing to this! > > > > > > > > > > Best, > > > > > > > > > > Junkai > > > > > > > > > > On Thu, Dec 16, 2021 at 2:11 PM Brent <[email protected]> > > > wrote: > > > > > > > > > > > I'm sure you all saw the notifications, but I pushed a PR for > this > > at > > > > > > https://github.com/apache/helix/pull/1922 > > > > > > > > > > > > I describe some of this in the PR, but the changes rippled out a > > > little > > > > > > further than I thought, partly due to the Zookeeper dependency > > still > > > > > > bringing in vulnerable versions and partly due to a few places in > > > code > > > > > > referencing Log4j 1.x APIs/packages/classes directly. > > > > > > > > > > > > My main concern, other than the magnitude of the change, is that > I > > > > > > successfully ran all of the tests except helix-core. All of the > > > > > helix-core > > > > > > tests succeeded up until the last 150 or so when I started > getting > > > out > > > > of > > > > > > memory errors, e.g.: > > > > > > [ERROR] Failures: > > > > > > [ERROR] TestConfigAccessor.testBasic:50 » OutOfMemory unable to > > > > create > > > > > > new native thre... > > > > > > [ERROR] TestConfigAccessor.testDeleteCloudConfig:329 » > > OutOfMemory > > > > > unable > > > > > > to create ne... > > > > > > [ERROR] TestConfigAccessor.testSetRestConfig:219 » OutOfMemory > > > unable > > > > > to > > > > > > create new na... > > > > > > > > > > > > I can't tell if that's just my laptop or if it's a legitimate > > problem > > > > > > introduced by this change, so any independent verification (maybe > > the > > > > PR > > > > > > hooks already do this) would be greatly appreciated. I'm going > to > > > try > > > > to > > > > > > test this in one of our dev environments, but would it would be > > great > > > > if > > > > > > someone else could independently verify too. > > > > > > > > > > > > Thanks! > > > > > > > > > > > > ~Brent > > > > > > > > > > > > On Wed, Dec 15, 2021 at 11:01 AM Hunter Lee <[email protected]> > > > > wrote: > > > > > > > > > > > > > Thanks Brent. We'll keep an eye out for it. > > > > > > > > > > > > > > Hunter > > > > > > > > > > > > > > On Wed, Dec 15, 2021 at 12:42 AM Brent < > > [email protected]> > > > > > > wrote: > > > > > > > > > > > > > > > I filed this issue so we have something to track: > > > > > > > > https://github.com/apache/helix/issues/1921 > > > > > > > > > > > > > > > > I'm attempting to get Log4J 2.16.x building and running > > properly > > > > > > locally. > > > > > > > > I will submit a PR if I can get it working. > > > > > > > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > > On Tue, Dec 14, 2021 at 8:40 AM Brent < > > [email protected] > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > Thanks Hunter, much appreciated! I will try to put > together > > a > > > > > patch > > > > > > > with > > > > > > > > > what I've done for remediation elsewhere (good news is it's > > not > > > > > much > > > > > > > > since > > > > > > > > > Helix still inherits Log4J 1.x). If you wouldn't mind, I > > might > > > > > also > > > > > > > file > > > > > > > > > an issue to consider upgrading to Log4J 2.16.x that was > just > > > > pushed > > > > > > > out ( > > > > > > > > > > > > https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4 > > > > ). > > > > > > > That > > > > > > > > > one will require some more thought to make sure things > don't > > > > break > > > > > I > > > > > > > > > suspect. > > > > > > > > > > > > > > > > > > ~Brent > > > > > > > > > > > > > > > > > > On Mon, Dec 13, 2021 at 1:42 PM Hunter Lee < > > [email protected] > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > >> This is being discussed. Feel free to post a patch if > you're > > > > > > > interested > > > > > > > > >> (but do let us know so there's no duplicate effort being > > made > > > > > here). > > > > > > > > >> > > > > > > > > >> On Fri, Dec 10, 2021 at 1:33 PM Brent < > > > > [email protected]> > > > > > > > > wrote: > > > > > > > > >> > > > > > > > > >> > [Feel free to take this offline or out-of-band if this > is > > an > > > > > > > > >> inappropriate > > > > > > > > >> > place to discuss this] > > > > > > > > >> > > > > > > > > > >> > Is there any hotfixing planned as a result of the Log4J > > zero > > > > day > > > > > > > going > > > > > > > > >> > around? > > > > > > > > >> > > > > > > > > > >> > Reference: > > https://www.lunasec.io/docs/blog/log4j-zero-day/ > > > > > > > > >> > CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > > > > > > > > >> > > > > > > > > > >> > From what I can tell, Helix seems to be building with > > > > > > > > >> > > > > > > https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.14 > > > > > > > > >> which in > > > > > > > > >> > turn maps to > > > > > > https://mvnrepository.com/artifact/log4j/log4j/1.2.17 > > > > > > > > >> > > > > > > > > > >> > The exploit is more prevalent in the 2.x versions of > > Log4J, > > > > but > > > > > > > there > > > > > > > > >> are > > > > > > > > >> > scenarios where 1.x is exploitable and it's been pointed > > out > > > > > that > > > > > > > 1.x > > > > > > > > is > > > > > > > > >> > also end of life and has other vulnerabilities. > > > > > > > > >> > > > > > > > > > >> > See: > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 > > > > > > > > >> > > > > > > > > > >> > Thanks! > > > > > > > > >> > > > > > > > > > >> > ~Brent > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > Junkai Xue >
