Sorry did a mistake in my previous email: pax logging 2.0.12 uses log4j 2.16.0. That’s exactly the purpose of this new take.
> Le 15 déc. 2021 à 07:40, Grzegorz Grzybek <gr.grzy...@gmail.com> a écrit : > > Hello > > With https://github.com/ops4j/org.ops4j.pax.logging/issues/416, Pax Logging > 2.0.12 and 1.11.11 already use Log4j2 2.16.0. > > regards > Grzegorz Grzybek > > śr., 15 gru 2021 o 07:36 Serge Huber <shu...@jahia.com.invalid> napisał(a): > >> Given that log2j 2.15.0 has been found to have a Denial of service should >> we re-release with 2.16.0 ? >> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 >> >> Note that previous mitigations involving configuration such as to set the >> system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this >> specific vulnerability. Log4j 2.16.0 fixes this issue by removing support >> for message lookup patterns and disabling JNDI functionality by default. >> This issue can be mitigated in prior releases (<2.16.0) by removing the >> JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar >> org/apache/logging/log4j/core/lookup/JndiLookup.class). >> >> Regards, >> Serge... >> >> Serge Huber >> CTO & Co-Founder >> T +41 22 361 3424 >> 9 route des Jeunes | 1227 Acacias | Switzerland >> jahia.com <http://www.jahia.com/> >> SKYPE | LINKEDIN <https://www.linkedin.com/in/sergehuber> | TWITTER >> <https://twitter.com/sergehuber> | VCARD >> <http://www.jahia.com/vcard/HuberSerge.vcf> >> >> >>> JOIN OUR COMMUNITY <http://www.jahia.com/> to evaluate, get trained and >> to discover why Jahia is a leading User Experience Platform (UXP) for >> Digital Transformation. >> >> >>> On Wed, Dec 15, 2021 at 7:28 AM Francois Papon < >>> francois.pa...@openobject.fr> >>> wrote: >>> >>> +1 (binding) >>> >>> Thanks JB! >>> >>> regards, >>> >>> Francois >>> >>> On 15/12/2021 05:43, JB Onofré wrote: >>>> Hi everyone, >>>> >>>> I submit Apache Karaf runtime 4.3.4 to your vote (take #3). >>>> >>>> This release includes dependency upgrades, fixes, and improvements, >>> especially: >>>> >>>> - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing >>> important security issue (CVE-2021-44228) and fixing JNDI issue >>>> - align dependencies versions between Karaf and Pax * >>>> - fix missing system export packages >>>> - fix on Karaf features json support >>>> - fix features autoRefresh configuration handling >>>> - fix on sshd session handling >>>> - update to sshd 2.8.0 >>>> - lot of pax * updates >>>> - and much more ! >>>> >>>> Please take a look on Release Notes for details ! >>>> >>>> Release Notes: >>>> >>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547 >>>> >>>> Staging Maven Repository: >>>> >> https://repository.apache.org/content/repositories/orgapachekaraf-1165/ >>>> >>>> Staging Dist Repository: >>>> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/ >>>> >>>> Git tag: >>>> karaf-4.3.4 >>>> >>>> Please vote to approve this release: >>>> >>>> [ ] +1 Approve the release >>>> [ ] -1 Don't approve the release (please provide specific comments) >>>> >>>> This vote will be open for at least 72 hours. >>>> >>>> Regards >>>> JB >>>> >>> >>
