I think the log4j-tools version should be set to 2.14.0 for a RC to match the release of log4j. Thoughts?
Gary On Thu, Dec 10, 2020, 15:45 Ralph Goers <ralph.go...@dslextreme.com> wrote: > OK. Then I guess I forgot since it has been so long. > > Ralph > > > On Dec 10, 2020, at 1:09 PM, Gary Gregory <garydgreg...@gmail.com> > wrote: > > > > But there *is* an allowed list of Java classes and packages configured > > in org.apache.logging.log4j.util.FilteredObjectInputStream which the > > log4j-server module's servers uses through > ObjectInputStreamLogEventBridge. > > > > Gary > > > > On Thu, Dec 3, 2020 at 10:33 AM Ralph Goers <ralph.go...@dslextreme.com> > > wrote: > > > >> There is a Jira issue to do that but as far as I know the Security bug > was > >> never addressed in that code. In a quick glance at it I still see it > >> supporting Java serialized objects without any kind of whitelisting. I > >> don’t see anything in that repo besides the log server and I wouldn’t > want > >> to release something with known security problems. > >> > >> Ralph > >> > >>> On Dec 3, 2020, at 8:09 AM, Gary Gregory <garydgreg...@gmail.com> > wrote: > >>> > >>> Hi All: > >>> > >>> We've never released from > >>> https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm > >>> currently using a SNAPSHOT build. Any thoughts on releasing from there? > >>> > >>> Gary > >> > >> > >> > > >
