Hi team I may close this vote faster than it is as usual(72 hours). Considering CVE-2021-44228 is widely known, even limited in specific JDK(JNDI default ON, or manually set)(only on JDK versions below 6u211, 7u201, 8u191 and 11.0.1)[1], people seem to feel scared(a little overreacting) than a CVE usually should be.
People keep asking, and as this patch release doesn't have any codes of ourselves, but only 2 dependencies. We should be fine to post it ASAP. [1] https://securityboulevard.com/2021/12/critical-new-0-day-vulnerability-in-popular-log4j-library-discovered-with-evidence-of-mass-scanning-for-affected-applications/amp/ Sheng Wu 吴晟 Twitter, wusheng1108 Kai Wan <[email protected]> 于2021年12月11日周六 11:01写道: > +1 binding > > 1. .sha files are checked. > 2. GPG signatures are signed by Sheng Wu. > 3. License header in the source is checked. > 4. Compilation passed. > 5. Tags are correct. > 6. Log4j version upgraded to 2.15.0 > ————————— > Kai Wan > GitHub @wankai123 > > Yanlong He <[email protected]> 于2021年12月11日周六 09:25写道: > > > > +1 > > > > 1. version correct > > 2. asc checked > > 3. sha512 exist > > 4. License and Notice exist > > > > > > > 在 2021年12月11日,07:35,Wei Zhang <[email protected]> 写道: > > > > > > +1 binding > > > > > > 1. version correct > > > 2. asc checked > > > 3. sha512 exist > > > 4. License and Notice exist >
