Shall we discuss this first please? On Mon, Dec 13, 2021 at 5:10 AM Matt Sicker <boa...@gmail.com> wrote:
> If you can handle that change, I can roll a new release candidate. > > Matt Sicker > > > On Dec 12, 2021, at 14:07, Volkan Yazıcı <vol...@yazi.ci> wrote: > > > > I know. I want them to be removed, not disabled. > > > >> On Sun, Dec 12, 2021 at 9:01 PM Matt Sicker <boa...@gmail.com> wrote: > >> > >> Those were already disabled in 2.15.0. > >> > >> Matt Sicker > >> > >>>> On Dec 12, 2021, at 13:41, Volkan Yazıcı <vol...@yazi.ci> wrote: > >>> > >>> I very well recognize your heroic effort on tackling this issue and I > am > >>> very thankful for that. > >>> I vote -1, because I want message (not configuration!) lookups to be > >>> removed. > >>> > >>> Message lookups create a vast attack surface. Anything they offer can > >>> simply be implemented by the user. > >>> > >>>> On Sun, Dec 12, 2021 at 4:48 AM Matt Sicker <boa...@gmail.com> wrote: > >>>> > >>>> This is a vote to release Log4j 2.15.1, the next version of the Log4j > 2 > >>>> project. > >>>> > >>>> Please download, test, and cast your votes on the log4j developers > list. > >>>> [] +1, release the artifacts > >>>> [] -1, don't release because... > >>>> > >>>> The vote will remain open for 72 hours (or more if required). All > votes > >>>> are welcome and we encourage everyone to test the release, but only > >> Logging > >>>> PMC votes are “officially” counted. As always, at least 3 +1 votes and > >> more > >>>> positive than negative votes are required. > >>>> > >>>> Changes in this release include: > >>>> > >>>> Fixed Bugs > >>>> > >>>> * LOG4J2-3208: Disable JNDI by default. Require log4j2.enableJndi to > be > >>>> set to true to allow JNDI. > >>>> > >>>> Tag: > >>>> a) for a new copy do "git clone > >>>> https://github.com/apache/logging-log4j2.git < > >>>> https://github.com/apache/logging-log4j2.git>" and then "git checkout > >>>> tags/log4j-2.15.1-rc1” or just "git clone -b log4j-2.15.1-rc1 > >>>> https://github.com/apache/logging-log4j2.git < > >>>> https://github.com/apache/logging-log4j2.git>" > >>>> b) for an existing working copy to “git pull” and then “git checkout > >>>> tags/log4j-2.15.1-rc1” > >>>> > >>>> Web Site: https://logging.staged.apache.org/log4j/2.x/index.html < > >>>> https://logging.staged.apache.org/log4j/2.x/index.html>. > >>>> > >>>> Maven Artifacts: > >>>> > >> > https://repository.apache.org/content/repositories/orgapachelogging-1067/ > >>>> > >>>> Distribution archives: > >>>> https://dist.apache.org/repos/dist/dev/logging/log4j/ < > >>>> https://dist.apache.org/repos/dist/dev/logging/log4j/> > >>>> > >>>> You may download all the Maven artifacts by executing: > >>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate > >>>> > >> > https://repository.apache.org/content/repositories/orgapachelogging-1067/org/apache/logging/log4j/ > >> >
