Re: [RESULT][VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Steinar Bang]

> Jean-Baptiste Onofre :

> Hi,
> This vote passed with the following result:

> +1 (binding): François Papon, Achim Nierbeck, Grzegorz Grzybek, Freeman Fang, 
> Jamie Goodyear, JB Onofré
> +1 (non binding): Lukas Roedl, Romain Manni-Bucau, Matt Pavlovich, Robert 
> Varga, Steinar Bang, Oliver Lietz, Serge Huber

> I’m promoting the artifacts on Maven Central and dist.apache.org, I’m 
> updating Jira and I will prepare announcement (website and mailing lists).

A .deb package has been created for karaf 4.3.4 and has been deployed to
my APT archive:
 
https://steinar.bang.priv.no/2018/01/23/installing-apache-karaf-on-debian/#comment-15826

[RESULT][VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Jean-Baptiste Onofre]

Hi,

This vote passed with the following result:

+1 (binding): François Papon, Achim Nierbeck, Grzegorz Grzybek, Freeman Fang, 
Jamie Goodyear, JB Onofré
+1 (non binding): Lukas Roedl, Romain Manni-Bucau, Matt Pavlovich, Robert 
Varga, Steinar Bang, Oliver Lietz, Serge Huber

I’m promoting the artifacts on Maven Central and dist.apache.org, I’m updating 
Jira and I will prepare announcement (website and mailing lists).

Thanks all for your vote!

Regards
JB

> Le 15 déc. 2021 à 05:43, JB Onofré  a écrit :
> 
> Hi everyone,
> 
> I submit Apache Karaf runtime 4.3.4 to your vote (take #3). 
> 
> This release includes dependency upgrades, fixes, and improvements, 
> especially:
> 
> - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing important 
> security issue (CVE-2021-44228) and fixing JNDI issue
> - align dependencies versions between Karaf and Pax *
> - fix missing system export packages
> - fix on Karaf features json support
> - fix features autoRefresh configuration handling
> - fix on sshd session handling
> - update to sshd 2.8.0
> - lot of pax * updates
> - and much more !
> 
> Please take a look on Release Notes for details !
> 
> Release Notes:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> 
> Staging Maven Repository:
> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> 
> Staging Dist Repository:
> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> 
> Git tag:
> karaf-4.3.4
> 
> Please vote to approve this release:
> 
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
> 
> This vote will be open for at least 72 hours.
> 
> Regards
> JB
> 

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Jean-Baptiste Onofre]

+1 (binding)

Regards
JB

> Le 15 déc. 2021 à 05:43, JB Onofré  a écrit :
> 
> Hi everyone,
> 
> I submit Apache Karaf runtime 4.3.4 to your vote (take #3). 
> 
> This release includes dependency upgrades, fixes, and improvements, 
> especially:
> 
> - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing important 
> security issue (CVE-2021-44228) and fixing JNDI issue
> - align dependencies versions between Karaf and Pax *
> - fix missing system export packages
> - fix on Karaf features json support
> - fix features autoRefresh configuration handling
> - fix on sshd session handling
> - update to sshd 2.8.0
> - lot of pax * updates
> - and much more !
> 
> Please take a look on Release Notes for details !
> 
> Release Notes:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> 
> Staging Maven Repository:
> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> 
> Staging Dist Repository:
> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> 
> Git tag:
> karaf-4.3.4
> 
> Please vote to approve this release:
> 
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
> 
> This vote will be open for at least 72 hours.
> 
> Regards
> JB
> 

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Oliver Lietz]

On Wednesday, 15 December 2021 05:43:44 CET JB Onofré wrote:
> Hi everyone,
> 
> I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
> 
> This release includes dependency upgrades, fixes, and improvements,
> especially:
> 
> - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> important security issue (CVE-2021-44228) and fixing JNDI issue - align
> dependencies versions between Karaf and Pax *
> - fix missing system export packages
> - fix on Karaf features json support
> - fix features autoRefresh configuration handling
> - fix on sshd session handling
> - update to sshd 2.8.0
> - lot of pax * updates
> - and much more !
> 
> Please take a look on Release Notes for details !
> 
> Release Notes:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&ve
> rsion=12350547
> 
> Staging Maven Repository:
> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> 
> Staging Dist Repository:
> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> 
> Git tag:
> karaf-4.3.4

+1

O.

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Steinar Bang]

I have installed all of my active karaf applications on this 4.3.4
version as well.

No error messages on install, normal messages to the karaf.log,
applications seems to run.

+1 (non-bindingn)

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Jamie G.]

+1
Cheers,
Jamie

On Wed, Dec 15, 2021 at 1:48 PM Freeman Fang  wrote:
>
> +1 (binding)
>
> Thanks (again 😃) JB!
> Freeman
>
> On Tue, Dec 14, 2021 at 11:43 PM JB Onofré  wrote:
>
> > Hi everyone,
> >
> > I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
> >
> > This release includes dependency upgrades, fixes, and improvements,
> > especially:
> >
> > - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> > important security issue (CVE-2021-44228) and fixing JNDI issue
> > - align dependencies versions between Karaf and Pax *
> > - fix missing system export packages
> > - fix on Karaf features json support
> > - fix features autoRefresh configuration handling
> > - fix on sshd session handling
> > - update to sshd 2.8.0
> > - lot of pax * updates
> > - and much more !
> >
> > Please take a look on Release Notes for details !
> >
> > Release Notes:
> >
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> >
> > Staging Maven Repository:
> > https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> >
> > Staging Dist Repository:
> > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> >
> > Git tag:
> > karaf-4.3.4
> >
> > Please vote to approve this release:
> >
> > [ ] +1 Approve the release
> > [ ] -1 Don't approve the release (please provide specific comments)
> >
> > This vote will be open for at least 72 hours.
> >
> > Regards
> > JB
> >
> >

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Freeman Fang]

+1 (binding)

Thanks (again 😃) JB!
Freeman

On Tue, Dec 14, 2021 at 11:43 PM JB Onofré  wrote:

> Hi everyone,
>
> I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
>
> This release includes dependency upgrades, fixes, and improvements,
> especially:
>
> - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> important security issue (CVE-2021-44228) and fixing JNDI issue
> - align dependencies versions between Karaf and Pax *
> - fix missing system export packages
> - fix on Karaf features json support
> - fix features autoRefresh configuration handling
> - fix on sshd session handling
> - update to sshd 2.8.0
> - lot of pax * updates
> - and much more !
>
> Please take a look on Release Notes for details !
>
> Release Notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
>
> Staging Maven Repository:
> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
>
> Staging Dist Repository:
> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
>
> Git tag:
> karaf-4.3.4
>
> Please vote to approve this release:
>
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
>
> This vote will be open for at least 72 hours.
>
> Regards
> JB
>
>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Robert Varga]

On 15/12/2021 05:43, JB Onofré wrote:

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)


+1, non-binding.

Thanks.
Robert


OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Serge Huber]

Thanks for clarifying, +1 (non-binding) then !

cheers,
  Serge...

On Wed, Dec 15, 2021 at 3:22 PM Matt Pavlovich  wrote:

> +1 (non-binding)
>
> > On Dec 14, 2021, at 10:43 PM, JB Onofré  wrote:
> >
> > Hi everyone,
> >
> > I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
> >
> > This release includes dependency upgrades, fixes, and improvements,
> especially:
> >
> > - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> important security issue (CVE-2021-44228) and fixing JNDI issue
> > - align dependencies versions between Karaf and Pax *
> > - fix missing system export packages
> > - fix on Karaf features json support
> > - fix features autoRefresh configuration handling
> > - fix on sshd session handling
> > - update to sshd 2.8.0
> > - lot of pax * updates
> > - and much more !
> >
> > Please take a look on Release Notes for details !
> >
> > Release Notes:
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> >
> > Staging Maven Repository:
> > https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> >
> > Staging Dist Repository:
> > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> >
> > Git tag:
> > karaf-4.3.4
> >
> > Please vote to approve this release:
> >
> > [ ] +1 Approve the release
> > [ ] -1 Don't approve the release (please provide specific comments)
> >
> > This vote will be open for at least 72 hours.
> >
> > Regards
> > JB
> >
>
>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Matt Pavlovich]

+1 (non-binding)

> On Dec 14, 2021, at 10:43 PM, JB Onofré  wrote:
> 
> Hi everyone,
> 
> I submit Apache Karaf runtime 4.3.4 to your vote (take #3). 
> 
> This release includes dependency upgrades, fixes, and improvements, 
> especially:
> 
> - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing important 
> security issue (CVE-2021-44228) and fixing JNDI issue
> - align dependencies versions between Karaf and Pax *
> - fix missing system export packages
> - fix on Karaf features json support
> - fix features autoRefresh configuration handling
> - fix on sshd session handling
> - update to sshd 2.8.0
> - lot of pax * updates
> - and much more !
> 
> Please take a look on Release Notes for details !
> 
> Release Notes:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> 
> Staging Maven Repository:
> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> 
> Staging Dist Repository:
> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> 
> Git tag:
> karaf-4.3.4
> 
> Please vote to approve this release:
> 
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
> 
> This vote will be open for at least 72 hours.
> 
> Regards
> JB
> 

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Grzegorz Grzybek]

+1 (binding)

regards
Grzegorz Grzybek

śr., 15 gru 2021 o 09:44 Achim Nierbeck 
napisał(a):

> +1 (binding)
>
> regards, Achim
>
>
> Am Mi., 15. Dez. 2021 um 08:34 Uhr schrieb Romain Manni-Bucau <
> rmannibu...@gmail.com>:
>
> > +1
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://rmannibucau.metawerx.net/> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> > <
> >
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> > >
> >
> >
> > Le mer. 15 déc. 2021 à 08:21, Roedl Lukas  a
> écrit
> > :
> >
> > > +1 (non-binding)
> > >
> > > regards,
> > > Lukas
> > >
> > > -Ursprüngliche Nachricht-
> > > Von: JB Onofré 
> > > Gesendet: Mittwoch, 15. Dezember 2021 05:44
> > > An: dev@karaf.apache.org
> > > Betreff: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)
> > >
> > > Hi everyone,
> > >
> > > I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
> > >
> > > This release includes dependency upgrades, fixes, and improvements,
> > > especially:
> > >
> > > - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> > > important security issue (CVE-2021-44228) and fixing JNDI issue
> > > - align dependencies versions between Karaf and Pax *
> > > - fix missing system export packages
> > > - fix on Karaf features json support
> > > - fix features autoRefresh configuration handling
> > > - fix on sshd session handling
> > > - update to sshd 2.8.0
> > > - lot of pax * updates
> > > - and much more !
> > >
> > > Please take a look on Release Notes for details !
> > >
> > > Release Notes:
> > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> > >
> > > Staging Maven Repository:
> > >
> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> > >
> > > Staging Dist Repository:
> > > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> > >
> > > Git tag:
> > > karaf-4.3.4
> > >
> > > Please vote to approve this release:
> > >
> > > [ ] +1 Approve the release
> > > [ ] -1 Don't approve the release (please provide specific comments)
> > >
> > > This vote will be open for at least 72 hours.
> > >
> > > Regards
> > > JB
> > >
> > >
> >
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Achim Nierbeck]

+1 (binding)

regards, Achim


Am Mi., 15. Dez. 2021 um 08:34 Uhr schrieb Romain Manni-Bucau <
rmannibu...@gmail.com>:

> +1
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://rmannibucau.metawerx.net/> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> <
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >
>
>
> Le mer. 15 déc. 2021 à 08:21, Roedl Lukas  a écrit
> :
>
> > +1 (non-binding)
> >
> > regards,
> > Lukas
> >
> > -Ursprüngliche Nachricht-----
> > Von: JB Onofré 
> > Gesendet: Mittwoch, 15. Dezember 2021 05:44
> > An: dev@karaf.apache.org
> > Betreff: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)
> >
> > Hi everyone,
> >
> > I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
> >
> > This release includes dependency upgrades, fixes, and improvements,
> > especially:
> >
> > - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> > important security issue (CVE-2021-44228) and fixing JNDI issue
> > - align dependencies versions between Karaf and Pax *
> > - fix missing system export packages
> > - fix on Karaf features json support
> > - fix features autoRefresh configuration handling
> > - fix on sshd session handling
> > - update to sshd 2.8.0
> > - lot of pax * updates
> > - and much more !
> >
> > Please take a look on Release Notes for details !
> >
> > Release Notes:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> >
> > Staging Maven Repository:
> > https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> >
> > Staging Dist Repository:
> > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> >
> > Git tag:
> > karaf-4.3.4
> >
> > Please vote to approve this release:
> >
> > [ ] +1 Approve the release
> > [ ] -1 Don't approve the release (please provide specific comments)
> >
> > This vote will be open for at least 72 hours.
> >
> > Regards
> > JB
> >
> >
>


-- 

Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
blog <http://notizblog.nierbeck.de/>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Romain Manni-Bucau]

+1

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le mer. 15 déc. 2021 à 08:21, Roedl Lukas  a écrit :

> +1 (non-binding)
>
> regards,
> Lukas
>
> -Ursprüngliche Nachricht-
> Von: JB Onofré 
> Gesendet: Mittwoch, 15. Dezember 2021 05:44
> An: dev@karaf.apache.org
> Betreff: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)
>
> Hi everyone,
>
> I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
>
> This release includes dependency upgrades, fixes, and improvements,
> especially:
>
> - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> important security issue (CVE-2021-44228) and fixing JNDI issue
> - align dependencies versions between Karaf and Pax *
> - fix missing system export packages
> - fix on Karaf features json support
> - fix features autoRefresh configuration handling
> - fix on sshd session handling
> - update to sshd 2.8.0
> - lot of pax * updates
> - and much more !
>
> Please take a look on Release Notes for details !
>
> Release Notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
>
> Staging Maven Repository:
> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
>
> Staging Dist Repository:
> https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
>
> Git tag:
> karaf-4.3.4
>
> Please vote to approve this release:
>
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
>
> This vote will be open for at least 72 hours.
>
> Regards
> JB
>
>

AW: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Roedl Lukas]

+1 (non-binding)

regards,
Lukas

-Ursprüngliche Nachricht-
Von: JB Onofré  
Gesendet: Mittwoch, 15. Dezember 2021 05:44
An: dev@karaf.apache.org
Betreff: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #3). 

This release includes dependency upgrades, fixes, and improvements, especially:

- upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing important 
security issue (CVE-2021-44228) and fixing JNDI issue
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547

Staging Maven Repository:
https://repository.apache.org/content/repositories/orgapachekaraf-1165/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[JB Onofré]

Sorry did a mistake in my previous email: pax logging 2.0.12 uses log4j 2.16.0. 
That’s exactly the purpose of this new take. 

> Le 15 déc. 2021 à 07:40, Grzegorz Grzybek  a écrit :
> 
> Hello
> 
> With https://github.com/ops4j/org.ops4j.pax.logging/issues/416, Pax Logging
> 2.0.12 and 1.11.11 already use Log4j2 2.16.0.
> 
> regards
> Grzegorz Grzybek
> 
> śr., 15 gru 2021 o 07:36 Serge Huber  napisał(a):
> 
>> Given that log2j 2.15.0 has been found to have a Denial of service should
>> we re-release with 2.16.0 ?
>> 
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
>> 
>> Note that previous mitigations involving configuration such as to set the
>> system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this
>> specific vulnerability. Log4j 2.16.0 fixes this issue by removing support
>> for message lookup patterns and disabling JNDI functionality by default.
>> This issue can be mitigated in prior releases (<2.16.0) by removing the
>> JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar
>> org/apache/logging/log4j/core/lookup/JndiLookup.class).
>> 
>> Regards,
>>  Serge...
>> 
>> Serge Huber
>> CTO & Co-Founder
>> T +41 22 361 3424
>> 9 route des Jeunes | 1227 Acacias | Switzerland
>> jahia.com 
>> SKYPE | LINKEDIN  | TWITTER
>>  | VCARD
>> 
>> 
>> 
>>> JOIN OUR COMMUNITY  to evaluate, get trained and
>> to discover why Jahia is a leading User Experience Platform (UXP) for
>> Digital Transformation.
>> 
>> 
>>> On Wed, Dec 15, 2021 at 7:28 AM Francois Papon <
>>> francois.pa...@openobject.fr>
>>> wrote:
>>> 
>>> +1 (binding)
>>> 
>>> Thanks JB!
>>> 
>>> regards,
>>> 
>>> Francois
>>> 
>>> On 15/12/2021 05:43, JB Onofré wrote:
 Hi everyone,
 
 I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
 
 This release includes dependency upgrades, fixes, and improvements,
>>> especially:
 
 - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
>>> important security issue (CVE-2021-44228) and fixing JNDI issue
 - align dependencies versions between Karaf and Pax *
 - fix missing system export packages
 - fix on Karaf features json support
 - fix features autoRefresh configuration handling
 - fix on sshd session handling
 - update to sshd 2.8.0
 - lot of pax * updates
 - and much more !
 
 Please take a look on Release Notes for details !
 
 Release Notes:
 
>>> 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
 
 Staging Maven Repository:
 
>> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
 
 Staging Dist Repository:
 https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
 
 Git tag:
 karaf-4.3.4
 
 Please vote to approve this release:
 
 [ ] +1 Approve the release
 [ ] -1 Don't approve the release (please provide specific comments)
 
 This vote will be open for at least 72 hours.
 
 Regards
 JB
 
>>> 
>> 

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Grzegorz Grzybek]

Hello

With https://github.com/ops4j/org.ops4j.pax.logging/issues/416, Pax Logging
2.0.12 and 1.11.11 already use Log4j2 2.16.0.

regards
Grzegorz Grzybek

śr., 15 gru 2021 o 07:36 Serge Huber  napisał(a):

> Given that log2j 2.15.0 has been found to have a Denial of service should
> we re-release with 2.16.0 ?
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
>
> Note that previous mitigations involving configuration such as to set the
> system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this
> specific vulnerability. Log4j 2.16.0 fixes this issue by removing support
> for message lookup patterns and disabling JNDI functionality by default.
> This issue can be mitigated in prior releases (<2.16.0) by removing the
> JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class).
>
> Regards,
>   Serge...
>
> Serge Huber
> CTO & Co-Founder
> T +41 22 361 3424
> 9 route des Jeunes | 1227 Acacias | Switzerland
> jahia.com 
> SKYPE | LINKEDIN  | TWITTER
>  | VCARD
> 
>
>
> > JOIN OUR COMMUNITY  to evaluate, get trained and
> to discover why Jahia is a leading User Experience Platform (UXP) for
> Digital Transformation.
>
>
> On Wed, Dec 15, 2021 at 7:28 AM Francois Papon <
> francois.pa...@openobject.fr>
> wrote:
>
> > +1 (binding)
> >
> > Thanks JB!
> >
> > regards,
> >
> > Francois
> >
> > On 15/12/2021 05:43, JB Onofré wrote:
> > > Hi everyone,
> > >
> > > I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
> > >
> > > This release includes dependency upgrades, fixes, and improvements,
> > especially:
> > >
> > > - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> > important security issue (CVE-2021-44228) and fixing JNDI issue
> > > - align dependencies versions between Karaf and Pax *
> > > - fix missing system export packages
> > > - fix on Karaf features json support
> > > - fix features autoRefresh configuration handling
> > > - fix on sshd session handling
> > > - update to sshd 2.8.0
> > > - lot of pax * updates
> > > - and much more !
> > >
> > > Please take a look on Release Notes for details !
> > >
> > > Release Notes:
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> > >
> > > Staging Maven Repository:
> > >
> https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> > >
> > > Staging Dist Repository:
> > > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> > >
> > > Git tag:
> > > karaf-4.3.4
> > >
> > > Please vote to approve this release:
> > >
> > > [ ] +1 Approve the release
> > > [ ] -1 Don't approve the release (please provide specific comments)
> > >
> > > This vote will be open for at least 72 hours.
> > >
> > > Regards
> > > JB
> > >
> >
>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Serge Huber]

Given that log2j 2.15.0 has been found to have a Denial of service should
we re-release with 2.16.0 ?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Note that previous mitigations involving configuration such as to set the
system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this
specific vulnerability. Log4j 2.16.0 fixes this issue by removing support
for message lookup patterns and disabling JNDI functionality by default.
This issue can be mitigated in prior releases (<2.16.0) by removing the
JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class).

Regards,
  Serge...

Serge Huber
CTO & Co-Founder
T +41 22 361 3424
9 route des Jeunes | 1227 Acacias | Switzerland
jahia.com 
SKYPE | LINKEDIN  | TWITTER
 | VCARD



> JOIN OUR COMMUNITY  to evaluate, get trained and
to discover why Jahia is a leading User Experience Platform (UXP) for
Digital Transformation.


On Wed, Dec 15, 2021 at 7:28 AM Francois Papon 
wrote:

> +1 (binding)
>
> Thanks JB!
>
> regards,
>
> Francois
>
> On 15/12/2021 05:43, JB Onofré wrote:
> > Hi everyone,
> >
> > I submit Apache Karaf runtime 4.3.4 to your vote (take #3).
> >
> > This release includes dependency upgrades, fixes, and improvements,
> especially:
> >
> > - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing
> important security issue (CVE-2021-44228) and fixing JNDI issue
> > - align dependencies versions between Karaf and Pax *
> > - fix missing system export packages
> > - fix on Karaf features json support
> > - fix features autoRefresh configuration handling
> > - fix on sshd session handling
> > - update to sshd 2.8.0
> > - lot of pax * updates
> > - and much more !
> >
> > Please take a look on Release Notes for details !
> >
> > Release Notes:
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547
> >
> > Staging Maven Repository:
> > https://repository.apache.org/content/repositories/orgapachekaraf-1165/
> >
> > Staging Dist Repository:
> > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/
> >
> > Git tag:
> > karaf-4.3.4
> >
> > Please vote to approve this release:
> >
> > [ ] +1 Approve the release
> > [ ] -1 Don't approve the release (please provide specific comments)
> >
> > This vote will be open for at least 72 hours.
> >
> > Regards
> > JB
> >
>

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[Francois Papon]

+1 (binding)

Thanks JB!

regards,

Francois

On 15/12/2021 05:43, JB Onofré wrote:

Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #3).

This release includes dependency upgrades, fixes, and improvements, especially:

- upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing important 
security issue (CVE-2021-44228) and fixing JNDI issue
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547

Staging Maven Repository:
https://repository.apache.org/content/repositories/orgapachekaraf-1165/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB

[VOTE] Apache Karaf runtime 4.3.4 release (take #3)

[JB Onofré]

Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #3). 

This release includes dependency upgrades, fixes, and improvements, especially:

- upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing important 
security issue (CVE-2021-44228) and fixing JNDI issue
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547

Staging Maven Repository:
https://repository.apache.org/content/repositories/orgapachekaraf-1165/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB