It seems that Ralph has already started to work on a PR to remove message lookups altogether from 2.x.
I have come around to Volkan’s point that we don’t want to ask users to upgrade Log4j every week. So it maybe better to cancel the 2.15.1 release and have a dedicated security release 2.16.0 with just the JNDI change and removing message lookups altogether. Does anyone have a strong desire to release 2.15.1 with just the JNDI change? > On Dec 13, 2021, at 11:06, Gary Gregory <garydgreg...@gmail.com> wrote: > > Should we proceed with 2.15.1 or cancel it and go to 2.16.0 straight away? > > Gary > >> On Sun, Dec 12, 2021, 20:40 Remko Popma <remko.po...@gmail.com> wrote: >> >> I am also okay with removing Message Lookups from 2.x. >> A release with that change should be called 2.16.0 though, not 2.15.1 or >> 2.15.2. >> >> Also it makes sense to *only* have that security change (removing Message >> Lookups) in such a 2.16.0 release and not add other features. >> This will reduce the testing burden for people looking to upgrade. >> >> >> >> On Mon, Dec 13, 2021 at 8:12 Ralph Goers <ralph.go...@dslextreme.com> >> wrote: >> >>> Volkan, >>> >>> While ASF rules say a -1 vote is not a veto for all practical purposes >> the >>> release manager is going to consider it a blocker. >>> >>> A release that removes JNDI will prevent people from inadvertently using >>> the JNDI Lookup, JMS, or JndiContextSelector >>> without understanding the security risk using them. Message Lookups are a >>> different problem. We are not disabling JNDI >>> so people can re-enable message lookups. That would be crazy. We are >>> disabling JNDI because, despite all the fixes we >>> have made, I still don’t trust it. >>> >>> We have all agreed Message Lookups need to be killed in master. If we are >>> all in agreement to kill them now in 2.x I’m >>> fine with that but the two are separate issues. >>> >>> If you are OK with the release than your vote should be anything but -1. >>> If you really feel it needs a -1 then we need to see >>> if we are all ok completely removing the option to re-enable message >>> lookups. I would completely understand if that is what >>> you want and I would support that so please don’t feel pressured to give >>> in. >>> >>> Ralph >>> >>> >>>> On Dec 12, 2021, at 2:08 PM, Volkan Yazıcı <vol...@yazi.ci> wrote: >>>> >>>> You don't need my vote. As far as I count, you already have more than >> 3. >>>> >>>> I can imagine Ralph and the rest have worked sleeplessly for days. >> Hence >>> if >>>> they think disabling JNDI buys us a benefit, so be it. >>>> >>>> If not millions, tens of thousands of people tried to upgrade Log4j to >>>> 2.15.0 recently. A release where JNDI lookup disabled will only adress >>>> people who still (astonishingly!) want to use "message lookups" – >> correct >>>> me if I'm wrong. Hence, I think in its current form, 2.15.1 will bring >>> more >>>> confusion than benefit to the general audience. I think the fix to the >>>> vulnerability is to disable message lookups, not patches to the JNDI >>>> lookup. I want to believe that users get this fact right and have >> already >>>> disabled it. We need to be really careful with our next release. We >> can't >>>> expect people to upgrade once a week. Putting aside the damage it does >> to >>>> the reputation of the project. >>>> >>>> On Sun, Dec 12, 2021 at 9:47 PM Remko Popma <remko.po...@gmail.com> >>> wrote: >>>> >>>>> First, is this really a blocker for 2.15.1? >>>>> I think it is prudent to do urgent releases soon. >>>>> This JNDI change (LOG4J2-3208 >>>>> <https://issues.apache.org/jira/browse/LOG4J2-3208>) feels urgent >>> enough >>>>> to >>>>> warrant another shortened vote window. >>>>> A larger change like removing message lookups should not be rushed out >>> like >>>>> this, it needs review time. >>>>> >>>>> Second, do we really want to do this? Are we not overreacting? >>>>> Would it not be better to remove lookups in message parameters only? >>>>> (In implementation terms, resolve all lookups *before* interpolating >> the >>>>> message parameters?) >>>>> >>>>> Also, let me state the obvious, lookups *in configuration* are >>> tremendously >>>>> useful and should not be removed. >>>>> This may be obvious to some of us, but I just want to make sure there >>> is no >>>>> confusion about that (because I personally was confused about this at >>> some >>>>> point). :-) >>>>> >>>>> Finally, if we decide to do this, should a change like this be in a >>>>> point/bugfix release (2.15.1) or should it be a separate minor release >>> like >>>>> 2.16.0? >>>>> >>>>> >>>>> >>>>> On Mon, Dec 13, 2021 at 5:10 AM Remko Popma <remko.po...@gmail.com> >>> wrote: >>>>> >>>>>> Shall we discuss this first please? >>>>>> >>>>>> On Mon, Dec 13, 2021 at 5:10 AM Matt Sicker <boa...@gmail.com> >> wrote: >>>>>> >>>>>>> If you can handle that change, I can roll a new release candidate. >>>>>>> >>>>>>> Matt Sicker >>>>>>> >>>>>>>> On Dec 12, 2021, at 14:07, Volkan Yazıcı <vol...@yazi.ci> wrote: >>>>>>>> >>>>>>>> I know. I want them to be removed, not disabled. >>>>>>>> >>>>>>>>> On Sun, Dec 12, 2021 at 9:01 PM Matt Sicker <boa...@gmail.com> >>>>> wrote: >>>>>>>>> >>>>>>>>> Those were already disabled in 2.15.0. >>>>>>>>> >>>>>>>>> Matt Sicker >>>>>>>>> >>>>>>>>>>> On Dec 12, 2021, at 13:41, Volkan Yazıcı <vol...@yazi.ci> >> wrote: >>>>>>>>>> >>>>>>>>>> I very well recognize your heroic effort on tackling this issue >>> and >>>>>>> I am >>>>>>>>>> very thankful for that. >>>>>>>>>> I vote -1, because I want message (not configuration!) lookups to >>> be >>>>>>>>>> removed. >>>>>>>>>> >>>>>>>>>> Message lookups create a vast attack surface. Anything they offer >>>>> can >>>>>>>>>> simply be implemented by the user. >>>>>>>>>> >>>>>>>>>>> On Sun, Dec 12, 2021 at 4:48 AM Matt Sicker <boa...@gmail.com> >>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> This is a vote to release Log4j 2.15.1, the next version of the >>>>>>> Log4j 2 >>>>>>>>>>> project. >>>>>>>>>>> >>>>>>>>>>> Please download, test, and cast your votes on the log4j >> developers >>>>>>> list. >>>>>>>>>>> [] +1, release the artifacts >>>>>>>>>>> [] -1, don't release because... >>>>>>>>>>> >>>>>>>>>>> The vote will remain open for 72 hours (or more if required). >> All >>>>>>> votes >>>>>>>>>>> are welcome and we encourage everyone to test the release, but >>> only >>>>>>>>> Logging >>>>>>>>>>> PMC votes are “officially” counted. As always, at least 3 +1 >> votes >>>>>>> and >>>>>>>>> more >>>>>>>>>>> positive than negative votes are required. >>>>>>>>>>> >>>>>>>>>>> Changes in this release include: >>>>>>>>>>> >>>>>>>>>>> Fixed Bugs >>>>>>>>>>> >>>>>>>>>>> * LOG4J2-3208: Disable JNDI by default. Require >> log4j2.enableJndi >>>>> to >>>>>>> be >>>>>>>>>>> set to true to allow JNDI. >>>>>>>>>>> >>>>>>>>>>> Tag: >>>>>>>>>>> a) for a new copy do "git clone >>>>>>>>>>> https://github.com/apache/logging-log4j2.git < >>>>>>>>>>> https://github.com/apache/logging-log4j2.git>" and then "git >>>>>>> checkout >>>>>>>>>>> tags/log4j-2.15.1-rc1” or just "git clone -b log4j-2.15.1-rc1 >>>>>>>>>>> https://github.com/apache/logging-log4j2.git < >>>>>>>>>>> https://github.com/apache/logging-log4j2.git>" >>>>>>>>>>> b) for an existing working copy to “git pull” and then “git >>>>> checkout >>>>>>>>>>> tags/log4j-2.15.1-rc1” >>>>>>>>>>> >>>>>>>>>>> Web Site: >> https://logging.staged.apache.org/log4j/2.x/index.html >>>>> < >>>>>>>>>>> https://logging.staged.apache.org/log4j/2.x/index.html>. >>>>>>>>>>> >>>>>>>>>>> Maven Artifacts: >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> >> https://repository.apache.org/content/repositories/orgapachelogging-1067/ >>>>>>>>>>> >>>>>>>>>>> Distribution archives: >>>>>>>>>>> https://dist.apache.org/repos/dist/dev/logging/log4j/ < >>>>>>>>>>> https://dist.apache.org/repos/dist/dev/logging/log4j/> >>>>>>>>>>> >>>>>>>>>>> You may download all the Maven artifacts by executing: >>>>>>>>>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np >>>>> --no-check-certificate >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> >> https://repository.apache.org/content/repositories/orgapachelogging-1067/org/apache/logging/log4j/ >>>>>>>>> >>>>>>> >>>>>> >>>>> >>> >>> >>> >>
