Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

2021-12-14 Thread Romain Manni-Bucau 
+1

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mer. 15 déc. 2021 à 08:21, Roedl Lukas  a écrit :

> +1 (non-binding)
>
> regards,
> Lukas
>
> -Ursprüngliche Nachricht-
> Von: JB Onofré 
> Gesendet: Mittwoch, 15. Dezember 2021 05:44
> An: dev@karaf.apache.org
> Betreff: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)
>
> Hi everyone,
>
> I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
>
> This release includes dependency upgrades, fixes, and improvements,
> especially:
>
> - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> important security issue (CVE-2021-44228) and fixing JNDI issue
> - align dependencies versions between Karaf and Pax *
> - fix missing system export packages
> - fix on Karaf features json support
> - fix features autoRefresh configuration handling
> - fix on sshd session handling
> - update to sshd 2.8.0
> - lot of pax * updates
> - and much more !
>
> Please take a look on Release Notes for details !
>
> Release Notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
>
> Staging Maven Repository:
> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
>
> Staging Dist Repository:
> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
>
> Git tag:
> karaf-4.3.4
>
> Please vote to approve this release:
>
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
>
> This vote will be open for at least 72 hours.
>
> Regards
> JB
>
>

AW: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

2021-12-14 Thread Roedl Lukas 
+1 (non-binding)

regards,
Lukas

-Ursprüngliche Nachricht-
Von: JB Onofré  
Gesendet: Mittwoch, 15. Dezember 2021 05:44
An: dev@karaf.apache.org
Betreff: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #3). 

This release includes dependency upgrades, fixes, and improvements, especially:

- upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing important 
security issue (CVE-2021-44228) and fixing JNDI issue
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547

Staging Maven Repository:
https://repository.apache.org/content/repositories/orgapachekaraf-1165/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

2021-12-14 Thread JB Onofré 
Sorry did a mistake in my previous email: pax logging 2.0.12 uses log4j 2.16.0. 
That’s exactly the purpose of this new take. 

> Le 15 déc. 2021 à 07:40, Grzegorz Grzybek  a écrit :
> 
> Hello
> 
> With https://github.com/ops4j/org.ops4j.pax.logging/issues/416, Pax Logging
> 2.0.12 and 1.11.11 already use Log4j2 2.16.0.
> 
> regards
> Grzegorz Grzybek
> 
> śr., 15 gru 2021 o 07:36 Serge Huber  napisał(a):
> 
>> Given that log2j 2.15.0 has been found to have a Denial of service should
>> we re-release with 2.16.0 ?
>> 
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
>> 
>> Note that previous mitigations involving configuration such as to set the
>> system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this
>> specific vulnerability. Log4j 2.16.0 fixes this issue by removing support
>> for message lookup patterns and disabling JNDI functionality by default.
>> This issue can be mitigated in prior releases (<2.16.0) by removing the
>> JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar
>> org/apache/logging/log4j/core/lookup/JndiLookup.class).
>> 
>> Regards,
>>  Serge...
>> 
>> Serge Huber
>> CTO & Co-Founder
>> T +41 22 361 3424
>> 9 route des Jeunes | 1227 Acacias | Switzerland
>> jahia.com 
>> SKYPE | LINKEDIN  | TWITTER
>>  | VCARD
>> 
>> 
>> 
>>> JOIN OUR COMMUNITY  to evaluate, get trained and
>> to discover why Jahia is a leading User Experience Platform (UXP) for
>> Digital Transformation.
>> 
>> 
>>> On Wed, Dec 15, 2021 at 7:28 AM Francois Papon <
>>> francois.pa...@openobject.fr>
>>> wrote:
>>> 
>>> +1 (binding)
>>> 
>>> Thanks JB!
>>> 
>>> regards,
>>> 
>>> Francois
>>> 
>>> On 15/12/2021 05:43, JB Onofré wrote:
 Hi everyone,
 
 I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
 
 This release includes dependency upgrades, fixes, and improvements,
>>> especially:
 
 - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
>>> important security issue (CVE-2021-44228) and fixing JNDI issue
 - align dependencies versions between Karaf and Pax *
 - fix missing system export packages
 - fix on Karaf features json support
 - fix features autoRefresh configuration handling
 - fix on sshd session handling
 - update to sshd 2.8.0
 - lot of pax * updates
 - and much more !
 
 Please take a look on Release Notes for details !
 
 Release Notes:
 
>>> 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
 
 Staging Maven Repository:
 
>> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
 
 Staging Dist Repository:
 https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
 
 Git tag:
 karaf-4.3.4
 
 Please vote to approve this release:
 
 [ ] +1 Approve the release
 [ ] -1 Don't approve the release (please provide specific comments)
 
 This vote will be open for at least 72 hours.
 
 Regards
 JB
 
>>> 
>>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

2021-12-14 Thread Grzegorz Grzybek 
Hello

With https://github.com/ops4j/org.ops4j.pax.logging/issues/416, Pax Logging
2.0.12 and 1.11.11 already use Log4j2 2.16.0.

regards
Grzegorz Grzybek

śr., 15 gru 2021 o 07:36 Serge Huber  napisał(a):

> Given that log2j 2.15.0 has been found to have a Denial of service should
> we re-release with 2.16.0 ?
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
>
> Note that previous mitigations involving configuration such as to set the
> system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this
> specific vulnerability. Log4j 2.16.0 fixes this issue by removing support
> for message lookup patterns and disabling JNDI functionality by default.
> This issue can be mitigated in prior releases (<2.16.0) by removing the
> JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class).
>
> Regards,
>   Serge...
>
> Serge Huber
> CTO & Co-Founder
> T +41 22 361 3424
> 9 route des Jeunes | 1227 Acacias | Switzerland
> jahia.com 
> SKYPE | LINKEDIN  | TWITTER
>  | VCARD
> 
>
>
> > JOIN OUR COMMUNITY  to evaluate, get trained and
> to discover why Jahia is a leading User Experience Platform (UXP) for
> Digital Transformation.
>
>
> On Wed, Dec 15, 2021 at 7:28 AM Francois Papon <
> francois.pa...@openobject.fr>
> wrote:
>
> > +1 (binding)
> >
> > Thanks JB!
> >
> > regards,
> >
> > Francois
> >
> > On 15/12/2021 05:43, JB Onofré wrote:
> > > Hi everyone,
> > >
> > > I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
> > >
> > > This release includes dependency upgrades, fixes, and improvements,
> > especially:
> > >
> > > - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> > important security issue (CVE-2021-44228) and fixing JNDI issue
> > > - align dependencies versions between Karaf and Pax *
> > > - fix missing system export packages
> > > - fix on Karaf features json support
> > > - fix features autoRefresh configuration handling
> > > - fix on sshd session handling
> > > - update to sshd 2.8.0
> > > - lot of pax * updates
> > > - and much more !
> > >
> > > Please take a look on Release Notes for details !
> > >
> > > Release Notes:
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> > >
> > > Staging Maven Repository:
> > >
> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> > >
> > > Staging Dist Repository:
> > > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> > >
> > > Git tag:
> > > karaf-4.3.4
> > >
> > > Please vote to approve this release:
> > >
> > > [ ] +1 Approve the release
> > > [ ] -1 Don't approve the release (please provide specific comments)
> > >
> > > This vote will be open for at least 72 hours.
> > >
> > > Regards
> > > JB
> > >
> >
>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

2021-12-14 Thread Serge Huber 
Given that log2j 2.15.0 has been found to have a Denial of service should
we re-release with 2.16.0 ?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Note that previous mitigations involving configuration such as to set the
system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this
specific vulnerability. Log4j 2.16.0 fixes this issue by removing support
for message lookup patterns and disabling JNDI functionality by default.
This issue can be mitigated in prior releases (<2.16.0) by removing the
JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class).

Regards,
  Serge...

Serge Huber
CTO & Co-Founder
T +41 22 361 3424
9 route des Jeunes | 1227 Acacias | Switzerland
jahia.com 
SKYPE | LINKEDIN  | TWITTER
 | VCARD



> JOIN OUR COMMUNITY  to evaluate, get trained and
to discover why Jahia is a leading User Experience Platform (UXP) for
Digital Transformation.


On Wed, Dec 15, 2021 at 7:28 AM Francois Papon 
wrote:

> +1 (binding)
>
> Thanks JB!
>
> regards,
>
> Francois
>
> On 15/12/2021 05:43, JB Onofré wrote:
> > Hi everyone,
> >
> > I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
> >
> > This release includes dependency upgrades, fixes, and improvements,
> especially:
> >
> > - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> important security issue (CVE-2021-44228) and fixing JNDI issue
> > - align dependencies versions between Karaf and Pax *
> > - fix missing system export packages
> > - fix on Karaf features json support
> > - fix features autoRefresh configuration handling
> > - fix on sshd session handling
> > - update to sshd 2.8.0
> > - lot of pax * updates
> > - and much more !
> >
> > Please take a look on Release Notes for details !
> >
> > Release Notes:
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> >
> > Staging Maven Repository:
> > https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> >
> > Staging Dist Repository:
> > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> >
> > Git tag:
> > karaf-4.3.4
> >
> > Please vote to approve this release:
> >
> > [ ] +1 Approve the release
> > [ ] -1 Don't approve the release (please provide specific comments)
> >
> > This vote will be open for at least 72 hours.
> >
> > Regards
> > JB
> >
>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

2021-12-14 Thread Francois Papon 

+1 (binding)

Thanks JB!

regards,

Francois

On 15/12/2021 05:43, JB Onofré wrote:

Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #3).

This release includes dependency upgrades, fixes, and improvements, especially:

- upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing important 
security issue (CVE-2021-44228) and fixing JNDI issue
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547

Staging Maven Repository:
https://repository.apache.org/content/repositories/orgapachekaraf-1165/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB

[VOTE] Apache Karaf runtime 4.3.4 release (take #3)

2021-12-14 Thread JB Onofré 
Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #3). 

This release includes dependency upgrades, fixes, and improvements, especially:

- upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing important 
security issue (CVE-2021-44228) and fixing JNDI issue
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547

Staging Maven Repository:
https://repository.apache.org/content/repositories/orgapachekaraf-1165/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB

[ANN] Pax Logging 2.0.12 and 1.11.11 released

2021-12-14 Thread Grzegorz Grzybek 
Hello

Pax Logging 2.0.12 and 1.11.11 have been released with Log4j2 upgrade.

The Log4j2 version used is 2.16.0, which is a follow-up release related to
recent world-shaking CVE-2021-44228.
Version 2.16.0 polishes some corner cases related to message interpolation
and is NOT a required upgrade for this CVE.

The changelog is available at GitHub:
https://github.com/ops4j/org.ops4j.pax.logging/milestone/74?closed=1

kind regards
Grzegorz Grzybek

Re: [CANCEL][VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread J Cabrerizo 
Yeah, you are right, that is probably for the best

Thank you for your response Romain

El mar, 14 dic 2021 a las 11:28, Romain Manni-Bucau ()
escribió:

> Hi Juan,
>
> No real way the vote is reduced cause ASF is distributed and all the PMC
> (at least) must be able to give their vote. (to be honest this is for the
> good to not be able to say "it is minor, let's do it in 1h", you can't
> imagine how many minor upgrades can break apps;)).
> This is one of the reason I think it is always better to move forward
> pending votes and redo a vote instead of rerolling if possible otherwise we
> get this delay which is quickly weeks.
>
>
> Just my 2 cts for future releases ;)
> Romain Manni-Bucau
> @rmannibucau  |  Blog
>  | Old Blog
>  | Github <
> https://github.com/rmannibucau> |
> LinkedIn  | Book
> <
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >
>
>
> Le mar. 14 déc. 2021 à 12:09, J Cabrerizo  a
> écrit :
>
> > Hi Jean-Baptiste
> >
> > I understand and I completely support the idea of canceling this vote and
> > starting a new one. At the same time I wonder if, in benefit of time, the
> > votation period could be reduced from the standard 72 hours as it's a
> minor
> > -but important- change and it should change the previous votes.
> >
> > Karaf is a key dependency of us in Apache Brooklyn as it is for many
> other
> > projects , as fast it can it bumped the better, and if we can do it this
> > week, it really will help us.
> >
> > Thanks again for all the great work in the project.
> >
> > Juan
> >
>

Re: [CANCEL][VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Romain Manni-Bucau 
Hi Juan,

No real way the vote is reduced cause ASF is distributed and all the PMC
(at least) must be able to give their vote. (to be honest this is for the
good to not be able to say "it is minor, let's do it in 1h", you can't
imagine how many minor upgrades can break apps;)).
This is one of the reason I think it is always better to move forward
pending votes and redo a vote instead of rerolling if possible otherwise we
get this delay which is quickly weeks.


Just my 2 cts for future releases ;)
Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mar. 14 déc. 2021 à 12:09, J Cabrerizo  a
écrit :

> Hi Jean-Baptiste
>
> I understand and I completely support the idea of canceling this vote and
> starting a new one. At the same time I wonder if, in benefit of time, the
> votation period could be reduced from the standard 72 hours as it's a minor
> -but important- change and it should change the previous votes.
>
> Karaf is a key dependency of us in Apache Brooklyn as it is for many other
> projects , as fast it can it bumped the better, and if we can do it this
> week, it really will help us.
>
> Thanks again for all the great work in the project.
>
> Juan
>

Re: [CANCEL][VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread J Cabrerizo 
Hi Jean-Baptiste

I understand and I completely support the idea of canceling this vote and
starting a new one. At the same time I wonder if, in benefit of time, the
votation period could be reduced from the standard 72 hours as it's a minor
-but important- change and it should change the previous votes.

Karaf is a key dependency of us in Apache Brooklyn as it is for many other
projects , as fast it can it bumped the better, and if we can do it this
week, it really will help us.

Thanks again for all the great work in the project.

Juan

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Achim Nierbeck 
Thanks JB,
I think it's a good signal for all our downstream projects.
Even if it's just rumors ;)

regards, Achim


Am Di., 14. Dez. 2021 um 10:44 Uhr schrieb Jean-Baptiste Onofré <
j...@nanthrax.net>:

> Even if I agree with Romain, I cancelled this release and I'm moving
> forward fast on new vote (later today).
>
> On 14/12/2021 10:32, Romain Manni-Bucau wrote:
> >> What's the difference between cutting a new release right after the
> >> release and just postponing this release (again) to include this log4j
> >> version?
> >> I'd rather have a 4.3.4 accepted by our consumers instead of everyone
> just
> >> waiting for the 4.3.5 ;)
> >
> > (just my 2cts and experience feedback about willing a perfect release)
> > Consumers waiting for something unrelated to log4j2 can adopt it 1 week
> > before ;), and as JB said, there is no security enhancement in 2.16 - and
> > some other parts of the JVM/libs are way more dangerous :p - so guess it
> is
> > better to release and move forward than keeping postponing which can
> delay
> > for more than 1 month the adoption (keep in mind we are in the last work
> > week in a lot of country since Xmas is coming ;)).
> >
> > Romain Manni-Bucau
> > @rmannibucau  |  Blog
> >  | Old Blog
> >  | Github <
> https://github.com/rmannibucau> |
> > LinkedIn  | Book
> > <
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >
> >
> >
> > Le mar. 14 déc. 2021 à 10:26, Jean-Baptiste Onofré  a
> > écrit :
> >
> >> OK, so, let me prepare Pax Logging 2.0.12 then and cancel this vote to
> >> include this new Pax Logging version.
> >>
> >> Regards
> >> JB
> >>
> >> On 14/12/2021 10:20, Achim Nierbeck wrote:
> >>> tbh. What's the difference between cutting a new release right after
> the
> >>> release and just postponing this release (again) to include this log4j
> >>> version?
> >>> I'd rather have a 4.3.4 accepted by our consumers instead of everyone
> >> just
> >>> waiting for the 4.3.5 ;)
> >>>
> >>> my 2 cents :)
> >>>
> >>> regards, Achim
> >>>
> >>>
> >>> Am Di., 14. Dez. 2021 um 10:09 Uhr schrieb Jean-Baptiste Onofré <
> >>> j...@nanthrax.net>:
> >>>
>  There's no big change between log4j 2.15 and 2.16 (in term of CVE).
> So,
>  I would leave this vote running, and prepare Pax Logging/Karaf new
>  release after (pretty soon).
> 
>  Regards
>  JB
> 
>  On 14/12/2021 09:30, Bernd Eckenfels wrote:
> > If you have any reason to delay it some more, a new pax logging with
>  log4j 2.0.16 should be close by ,) Log4j finally disabled JNDI and
> >> removed
>  the lookup code. Otherwise another minor release would also be an
> >> option.
> > --
> > http://bernd.eckenfels.net
> > 
> > Von: Francois Papon 
> > Gesendet: Tuesday, December 14, 2021 8:49:24 AM
> > An: dev@karaf.apache.org 
> > Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)
> >
> > +1 (binding)
> >
> > Thanks JB!
> >
> > regards,
> >
> > Francois
> >
> > On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:
> >> Hi everyone,
> >>
> >> I submit Apache Karaf runtime 4.3.4 to your vote (take #2).
> >>
> >> This release includes dependency upgrades, fixes, and improvements,
> >> especially:
> >>
> >> - upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
> >> important security issue (CVE-2021-44228)
> >> - align dependencies versions between Karaf and Pax *
> >> - fix missing system export packages
> >> - fix on Karaf features json support
> >> - fix features autoRefresh configuration handling
> >> - fix on sshd session handling
> >> - update to sshd 2.8.0
> >> - lot of pax * updates
> >> - and much more !
> >>
> >> Please take a look on Release Notes for details !
> >>
> >> Release Notes:
> >>
> 
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> >>
> >>
> >> Staging Maven Repository:
> >>
> >> https://repository.apache.org/content/repositories/orgapachekaraf-1164/
> >>
> >> Staging Dist Repository:
> >> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> >>
> >> Git tag:
> >> karaf-4.3.4
> >>
> >> Please vote to approve this release:
> >>
> >> [ ] +1 Approve the release
> >> [ ] -1 Don't approve the release (please provide specific comments)
> >>
> >> This vote will be open for at least 72 hours.
> >>
> >> Regards
> >> JB
> >
> 
> >>>
> >>>
> >>
> >
>


-- 

Apache Member
Apache Karaf  Committer & PMC
OPS4J Pax Web  Committer &
Project Lead
blog 
Co-Author of Apache Ka

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Jean-Baptiste Onofré 
Even if I agree with Romain, I cancelled this release and I'm moving 
forward fast on new vote (later today).


On 14/12/2021 10:32, Romain Manni-Bucau wrote:

What's the difference between cutting a new release right after the
release and just postponing this release (again) to include this log4j
version?
I'd rather have a 4.3.4 accepted by our consumers instead of everyone just
waiting for the 4.3.5 ;)


(just my 2cts and experience feedback about willing a perfect release)
Consumers waiting for something unrelated to log4j2 can adopt it 1 week
before ;), and as JB said, there is no security enhancement in 2.16 - and
some other parts of the JVM/libs are way more dangerous :p - so guess it is
better to release and move forward than keeping postponing which can delay
for more than 1 month the adoption (keep in mind we are in the last work
week in a lot of country since Xmas is coming ;)).

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mar. 14 déc. 2021 à 10:26, Jean-Baptiste Onofré  a
écrit :


OK, so, let me prepare Pax Logging 2.0.12 then and cancel this vote to
include this new Pax Logging version.

Regards
JB

On 14/12/2021 10:20, Achim Nierbeck wrote:

tbh. What's the difference between cutting a new release right after the
release and just postponing this release (again) to include this log4j
version?
I'd rather have a 4.3.4 accepted by our consumers instead of everyone

just

waiting for the 4.3.5 ;)

my 2 cents :)

regards, Achim


Am Di., 14. Dez. 2021 um 10:09 Uhr schrieb Jean-Baptiste Onofré <
j...@nanthrax.net>:


There's no big change between log4j 2.15 and 2.16 (in term of CVE). So,
I would leave this vote running, and prepare Pax Logging/Karaf new
release after (pretty soon).

Regards
JB

On 14/12/2021 09:30, Bernd Eckenfels wrote:

If you have any reason to delay it some more, a new pax logging with

log4j 2.0.16 should be close by ,) Log4j finally disabled JNDI and

removed

the lookup code. Otherwise another minor release would also be an

option.

--
http://bernd.eckenfels.net

Von: Francois Papon 
Gesendet: Tuesday, December 14, 2021 8:49:24 AM
An: dev@karaf.apache.org 
Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 (binding)

Thanks JB!

regards,

Francois

On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:

Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #2).

This release includes dependency upgrades, fixes, and improvements,
especially:

- upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
important security issue (CVE-2021-44228)
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:




https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547



Staging Maven Repository:


https://repository.apache.org/content/repositories/orgapachekaraf-1164/


Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB

[CANCEL][VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Jean-Baptiste Onofré 
As discussed on the vote thread, I cancel this release to include Pax 
Logging 2.0.12 that will upgrade to log4j 2.0.16.


I will start a new vote asap.

Sorry about that,
Regards
JB

On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:

Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #2).

This release includes dependency upgrades, fixes, and improvements, 
especially:


- upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing 
important security issue (CVE-2021-44228)

- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547 



Staging Maven Repository:
https://repository.apache.org/content/repositories/orgapachekaraf-1164/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Romain Manni-Bucau 
> What's the difference between cutting a new release right after the
> release and just postponing this release (again) to include this log4j
> version?
> I'd rather have a 4.3.4 accepted by our consumers instead of everyone just
> waiting for the 4.3.5 ;)

(just my 2cts and experience feedback about willing a perfect release)
Consumers waiting for something unrelated to log4j2 can adopt it 1 week
before ;), and as JB said, there is no security enhancement in 2.16 - and
some other parts of the JVM/libs are way more dangerous :p - so guess it is
better to release and move forward than keeping postponing which can delay
for more than 1 month the adoption (keep in mind we are in the last work
week in a lot of country since Xmas is coming ;)).

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mar. 14 déc. 2021 à 10:26, Jean-Baptiste Onofré  a
écrit :

> OK, so, let me prepare Pax Logging 2.0.12 then and cancel this vote to
> include this new Pax Logging version.
>
> Regards
> JB
>
> On 14/12/2021 10:20, Achim Nierbeck wrote:
> > tbh. What's the difference between cutting a new release right after the
> > release and just postponing this release (again) to include this log4j
> > version?
> > I'd rather have a 4.3.4 accepted by our consumers instead of everyone
> just
> > waiting for the 4.3.5 ;)
> >
> > my 2 cents :)
> >
> > regards, Achim
> >
> >
> > Am Di., 14. Dez. 2021 um 10:09 Uhr schrieb Jean-Baptiste Onofré <
> > j...@nanthrax.net>:
> >
> >> There's no big change between log4j 2.15 and 2.16 (in term of CVE). So,
> >> I would leave this vote running, and prepare Pax Logging/Karaf new
> >> release after (pretty soon).
> >>
> >> Regards
> >> JB
> >>
> >> On 14/12/2021 09:30, Bernd Eckenfels wrote:
> >>> If you have any reason to delay it some more, a new pax logging with
> >> log4j 2.0.16 should be close by ,) Log4j finally disabled JNDI and
> removed
> >> the lookup code. Otherwise another minor release would also be an
> option.
> >>> --
> >>> http://bernd.eckenfels.net
> >>> 
> >>> Von: Francois Papon 
> >>> Gesendet: Tuesday, December 14, 2021 8:49:24 AM
> >>> An: dev@karaf.apache.org 
> >>> Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)
> >>>
> >>> +1 (binding)
> >>>
> >>> Thanks JB!
> >>>
> >>> regards,
> >>>
> >>> Francois
> >>>
> >>> On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:
>  Hi everyone,
> 
>  I submit Apache Karaf runtime 4.3.4 to your vote (take #2).
> 
>  This release includes dependency upgrades, fixes, and improvements,
>  especially:
> 
>  - upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
>  important security issue (CVE-2021-44228)
>  - align dependencies versions between Karaf and Pax *
>  - fix missing system export packages
>  - fix on Karaf features json support
>  - fix features autoRefresh configuration handling
>  - fix on sshd session handling
>  - update to sshd 2.8.0
>  - lot of pax * updates
>  - and much more !
> 
>  Please take a look on Release Notes for details !
> 
>  Release Notes:
> 
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> 
> 
>  Staging Maven Repository:
> 
> https://repository.apache.org/content/repositories/orgapachekaraf-1164/
> 
>  Staging Dist Repository:
>  https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> 
>  Git tag:
>  karaf-4.3.4
> 
>  Please vote to approve this release:
> 
>  [ ] +1 Approve the release
>  [ ] -1 Don't approve the release (please provide specific comments)
> 
>  This vote will be open for at least 72 hours.
> 
>  Regards
>  JB
> >>>
> >>
> >
> >
>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Bernd Eckenfels 
There are rumors/theories the Sysprop does not cover all Code path (not for 
structured log events). Therefore sooner or later the 2.16 is needed for 
compliance reasons.

Much appreciated that you roll another release, jb.


--
http://bernd.eckenfels.net

Von: Romain Manni-Bucau 
Gesendet: Tuesday, December 14, 2021 10:07:13 AM
An: dev 
Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 (to release), in terms of actual security 2.15 or 2.16 does not change
much and karaf has some expected changes so let it go and redo one after if
wished IMHO

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mar. 14 déc. 2021 à 09:30, Bernd Eckenfels  a
écrit :

> If you have any reason to delay it some more, a new pax logging with log4j
> 2.0.16 should be close by ,) Log4j finally disabled JNDI and removed the
> lookup code. Otherwise another minor release would also be an option.
> --
> http://bernd.eckenfels.net
> 
> Von: Francois Papon 
> Gesendet: Tuesday, December 14, 2021 8:49:24 AM
> An: dev@karaf.apache.org 
> Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)
>
> +1 (binding)
>
> Thanks JB!
>
> regards,
>
> Francois
>
> On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:
> > Hi everyone,
> >
> > I submit Apache Karaf runtime 4.3.4 to your vote (take #2).
> >
> > This release includes dependency upgrades, fixes, and improvements,
> > especially:
> >
> > - upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
> > important security issue (CVE-2021-44228)
> > - align dependencies versions between Karaf and Pax *
> > - fix missing system export packages
> > - fix on Karaf features json support
> > - fix features autoRefresh configuration handling
> > - fix on sshd session handling
> > - update to sshd 2.8.0
> > - lot of pax * updates
> > - and much more !
> >
> > Please take a look on Release Notes for details !
> >
> > Release Notes:
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> >
> >
> > Staging Maven Repository:
> > https://repository.apache.org/content/repositories/orgapachekaraf-1164/
> >
> > Staging Dist Repository:
> > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> >
> > Git tag:
> > karaf-4.3.4
> >
> > Please vote to approve this release:
> >
> > [ ] +1 Approve the release
> > [ ] -1 Don't approve the release (please provide specific comments)
> >
> > This vote will be open for at least 72 hours.
> >
> > Regards
> > JB
>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Jean-Baptiste Onofré 
OK, so, let me prepare Pax Logging 2.0.12 then and cancel this vote to 
include this new Pax Logging version.


Regards
JB

On 14/12/2021 10:20, Achim Nierbeck wrote:

tbh. What's the difference between cutting a new release right after the
release and just postponing this release (again) to include this log4j
version?
I'd rather have a 4.3.4 accepted by our consumers instead of everyone just
waiting for the 4.3.5 ;)

my 2 cents :)

regards, Achim


Am Di., 14. Dez. 2021 um 10:09 Uhr schrieb Jean-Baptiste Onofré <
j...@nanthrax.net>:


There's no big change between log4j 2.15 and 2.16 (in term of CVE). So,
I would leave this vote running, and prepare Pax Logging/Karaf new
release after (pretty soon).

Regards
JB

On 14/12/2021 09:30, Bernd Eckenfels wrote:

If you have any reason to delay it some more, a new pax logging with

log4j 2.0.16 should be close by ,) Log4j finally disabled JNDI and removed
the lookup code. Otherwise another minor release would also be an option.

--
http://bernd.eckenfels.net

Von: Francois Papon 
Gesendet: Tuesday, December 14, 2021 8:49:24 AM
An: dev@karaf.apache.org 
Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 (binding)

Thanks JB!

regards,

Francois

On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:

Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #2).

This release includes dependency upgrades, fixes, and improvements,
especially:

- upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
important security issue (CVE-2021-44228)
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:


https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547



Staging Maven Repository:
https://repository.apache.org/content/repositories/orgapachekaraf-1164/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Achim Nierbeck 
tbh. What's the difference between cutting a new release right after the
release and just postponing this release (again) to include this log4j
version?
I'd rather have a 4.3.4 accepted by our consumers instead of everyone just
waiting for the 4.3.5 ;)

my 2 cents :)

regards, Achim


Am Di., 14. Dez. 2021 um 10:09 Uhr schrieb Jean-Baptiste Onofré <
j...@nanthrax.net>:

> There's no big change between log4j 2.15 and 2.16 (in term of CVE). So,
> I would leave this vote running, and prepare Pax Logging/Karaf new
> release after (pretty soon).
>
> Regards
> JB
>
> On 14/12/2021 09:30, Bernd Eckenfels wrote:
> > If you have any reason to delay it some more, a new pax logging with
> log4j 2.0.16 should be close by ,) Log4j finally disabled JNDI and removed
> the lookup code. Otherwise another minor release would also be an option.
> > --
> > http://bernd.eckenfels.net
> > 
> > Von: Francois Papon 
> > Gesendet: Tuesday, December 14, 2021 8:49:24 AM
> > An: dev@karaf.apache.org 
> > Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)
> >
> > +1 (binding)
> >
> > Thanks JB!
> >
> > regards,
> >
> > Francois
> >
> > On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:
> >> Hi everyone,
> >>
> >> I submit Apache Karaf runtime 4.3.4 to your vote (take #2).
> >>
> >> This release includes dependency upgrades, fixes, and improvements,
> >> especially:
> >>
> >> - upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
> >> important security issue (CVE-2021-44228)
> >> - align dependencies versions between Karaf and Pax *
> >> - fix missing system export packages
> >> - fix on Karaf features json support
> >> - fix features autoRefresh configuration handling
> >> - fix on sshd session handling
> >> - update to sshd 2.8.0
> >> - lot of pax * updates
> >> - and much more !
> >>
> >> Please take a look on Release Notes for details !
> >>
> >> Release Notes:
> >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> >>
> >>
> >> Staging Maven Repository:
> >> https://repository.apache.org/content/repositories/orgapachekaraf-1164/
> >>
> >> Staging Dist Repository:
> >> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> >>
> >> Git tag:
> >> karaf-4.3.4
> >>
> >> Please vote to approve this release:
> >>
> >> [ ] +1 Approve the release
> >> [ ] -1 Don't approve the release (please provide specific comments)
> >>
> >> This vote will be open for at least 72 hours.
> >>
> >> Regards
> >> JB
> >
>


-- 

Apache Member
Apache Karaf  Committer & PMC
OPS4J Pax Web  Committer &
Project Lead
blog 
Co-Author of Apache Karaf Cookbook

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Jean-Baptiste Onofré 
There's no big change between log4j 2.15 and 2.16 (in term of CVE). So, 
I would leave this vote running, and prepare Pax Logging/Karaf new 
release after (pretty soon).


Regards
JB

On 14/12/2021 09:30, Bernd Eckenfels wrote:

If you have any reason to delay it some more, a new pax logging with log4j 
2.0.16 should be close by ,) Log4j finally disabled JNDI and removed the lookup 
code. Otherwise another minor release would also be an option.
--
http://bernd.eckenfels.net

Von: Francois Papon 
Gesendet: Tuesday, December 14, 2021 8:49:24 AM
An: dev@karaf.apache.org 
Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 (binding)

Thanks JB!

regards,

Francois

On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:

Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #2).

This release includes dependency upgrades, fixes, and improvements,
especially:

- upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
important security issue (CVE-2021-44228)
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547


Staging Maven Repository:
https://repository.apache.org/content/repositories/orgapachekaraf-1164/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Romain Manni-Bucau 
+1 (to release), in terms of actual security 2.15 or 2.16 does not change
much and karaf has some expected changes so let it go and redo one after if
wished IMHO

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mar. 14 déc. 2021 à 09:30, Bernd Eckenfels  a
écrit :

> If you have any reason to delay it some more, a new pax logging with log4j
> 2.0.16 should be close by ,) Log4j finally disabled JNDI and removed the
> lookup code. Otherwise another minor release would also be an option.
> --
> http://bernd.eckenfels.net
> 
> Von: Francois Papon 
> Gesendet: Tuesday, December 14, 2021 8:49:24 AM
> An: dev@karaf.apache.org 
> Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)
>
> +1 (binding)
>
> Thanks JB!
>
> regards,
>
> Francois
>
> On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:
> > Hi everyone,
> >
> > I submit Apache Karaf runtime 4.3.4 to your vote (take #2).
> >
> > This release includes dependency upgrades, fixes, and improvements,
> > especially:
> >
> > - upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
> > important security issue (CVE-2021-44228)
> > - align dependencies versions between Karaf and Pax *
> > - fix missing system export packages
> > - fix on Karaf features json support
> > - fix features autoRefresh configuration handling
> > - fix on sshd session handling
> > - update to sshd 2.8.0
> > - lot of pax * updates
> > - and much more !
> >
> > Please take a look on Release Notes for details !
> >
> > Release Notes:
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> >
> >
> > Staging Maven Repository:
> > https://repository.apache.org/content/repositories/orgapachekaraf-1164/
> >
> > Staging Dist Repository:
> > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> >
> > Git tag:
> > karaf-4.3.4
> >
> > Please vote to approve this release:
> >
> > [ ] +1 Approve the release
> > [ ] -1 Don't approve the release (please provide specific comments)
> >
> > This vote will be open for at least 72 hours.
> >
> > Regards
> > JB
>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

2021-12-14 Thread Bernd Eckenfels 
If you have any reason to delay it some more, a new pax logging with log4j 
2.0.16 should be close by ,) Log4j finally disabled JNDI and removed the lookup 
code. Otherwise another minor release would also be an option.
--
http://bernd.eckenfels.net

Von: Francois Papon 
Gesendet: Tuesday, December 14, 2021 8:49:24 AM
An: dev@karaf.apache.org 
Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 (binding)

Thanks JB!

regards,

Francois

On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:
> Hi everyone,
>
> I submit Apache Karaf runtime 4.3.4 to your vote (take #2).
>
> This release includes dependency upgrades, fixes, and improvements,
> especially:
>
> - upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
> important security issue (CVE-2021-44228)
> - align dependencies versions between Karaf and Pax *
> - fix missing system export packages
> - fix on Karaf features json support
> - fix features autoRefresh configuration handling
> - fix on sshd session handling
> - update to sshd 2.8.0
> - lot of pax * updates
> - and much more !
>
> Please take a look on Release Notes for details !
>
> Release Notes:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
>
>
> Staging Maven Repository:
> https://repository.apache.org/content/repositories/orgapachekaraf-1164/
>
> Staging Dist Repository:
> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
>
> Git tag:
> karaf-4.3.4
>
> Please vote to approve this release:
>
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
>
> This vote will be open for at least 72 hours.
>
> Regards
> JB