...sooooo 1.15.1 was fun. But there is another log4j 2.x vulnerability reported. While we remain minimally exposed we should just get this over with totally. There are changes on main now which eliminate the usage of log4j 2.x core entirely and block usage of it going forward. Components can still use log4j as they always could but they must bridge to slf4j using the proper dependencies as they always should have anyway. We have the latest logback. All logs should route to slf4j which we then actually write out using logback.
So I'm going to go ahead and kick off a 1.15.2 to let us get this resolved formally and help alleviate concerns folks tend to have now around logging related vulnerabilities. Thanks On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <joe.w...@gmail.com> wrote: > > Here are the JIRAs I grabbed from the 1.16/main line to pull into > 1.15.1 in addition. > > https://issues.apache.org/jira/browse/NIFI-9480?jql=project%20%3D%20NIFI%20AND%20fixVersion%20%3D%201.15.1 > > Thanks > > On Mon, Dec 13, 2021 at 10:08 PM Joe Witt <joe.w...@gmail.com> wrote: > > > > Goodness. Two RC build release processes have failed a couple hours > > into it due to apparent network/availability issues while sending > > artifacts to repository.apache.org. I can only assume they're getting > > hit with a lot of projects trying to do a lot of uploads and such. > > Will try again in a bit/first thing in AM. Once we can get a > > successful build up I might suggest we do what log4j has done and > > simply open the vote long enough to get enough binding +1 votes and > > get this out there. > > > > Thanks > > > > On Mon, Dec 13, 2021 at 10:04 AM Joe Witt <joe.w...@gmail.com> wrote: > > > > > > Thanks - will roll with that > > > > > > On Mon, Dec 13, 2021 at 10:03 AM David Handermann > > > <exceptionfact...@apache.org> wrote: > > > > > > > > PR 5598 for NIFI-9474 is now merged into the main branch, which > > > > streamlines > > > > version updates to Log4j 2 dependencies. It also excludes log4j-core > > > > older > > > > than 2.15.0 from build artifacts, so this should provide a good basis > > > > for a > > > > patch release. > > > > > > > > https://github.com/apache/nifi/pull/5598 > > > > > > > > Regards, > > > > David Handermann > > > > > > > > On Mon, Dec 13, 2021 at 10:44 AM Chris Sampson > > > > <chris.samp...@naimuri.com.invalid> wrote: > > > > > > > > > I'd agree. The discussions in Slack and separate user mailing list > > > > > thread > > > > > are a reassurance for users (who read them), but a patch for the > > > > > current > > > > > 1.15 branch would seem sensible for people to pick up and assuage any > > > > > remaining security concerns they may have around the library. > > > > > > > > > > That leaves 1.16 a little longer to get more good stuff merged in for > > > > > the > > > > > next feature release. > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > Chris Sampson > > > > > > > > > > On Mon, 13 Dec 2021, 14:19 David Handermann, > > > > > <exceptionfact...@apache.org> > > > > > wrote: > > > > > > > > > > > Joe, > > > > > > > > > > > > Thanks for starting this discussion. Moving forward with a 1.15.1 > > > > > > patch > > > > > > release sounds like the best path forward. > > > > > > > > > > > > Regards, > > > > > > David Handermann > > > > > > > > > > > > On Mon, Dec 13, 2021 at 7:49 AM Joe Witt <joe.w...@gmail.com> wrote: > > > > > > > > > > > > > Team > > > > > > > > > > > > > > We still dont think we are vulnerable but this now highly risky > > > > > > > library > > > > > > is > > > > > > > present. We have PRs to eliminate it/main is fixed. I think we > > > > > should > > > > > > do > > > > > > > a 24 hour 1.15.1 release/vote for it. It will eliminate > > > > > > > concerns for > > > > > > > users. We are frankly pretty close to a 1.16 release at this > > > > > > > point as > > > > > > > well it seems but can circle back. > > > > > > > > > > > > > > > > > > > > > Any different views on 1.15.1? > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > >
