RE: Log4j Vunrability

[Ganesh, B (Nokia - IN/Bangalore)]

Hi All ,

According to latest mitigation plan from Log4J -  
(https://logging.apache.org/log4j/2.x/security.html) Java 8 (or later) users 
should upgrade to release 2.16.0.
However NIFI community discussion ( 
https://www.mail-archive.com/issues@nifi.apache.org/msg126427.html  ) Following 
NIFI-9283, upgrade Log4j to 2.15.0 wherever possible.

Can you please clarify further ?

Thanks & Regards,
Ganesh.B

-Original Message-
From: Joe Witt  
Sent: Tuesday, December 14, 2021 10:16 PM
To: dev@nifi.apache.org
Subject: Re: Log4j Vunrability

Bcc'ing you Martin

Yes of course we're very in tuned to what is happening.  The convenience binary 
we sent doesn't contain log4j impacted libs.  But some of the nars we publish 
that people can use do.  We also do not use log4j directly as we use slf4j.  
But we're not certain that every possible avenue of this is shut down so we're 
treating this as if we must replace it entirely.  To that end we are releasing 
Apache NiFi
1.15.1 and doing so in urgent timeline.  There have been issues with the 
release process presumably due to Apache being under so much load.
But we're on it.  Hopefully vote today/release up/available tomorrow.
TBD

Thanks

On Tue, Dec 14, 2021 at 9:40 AM Haris Javaid  wrote:
>
> Hi there,
> I am sure you guys are aware of the recently found log4j 
> vulnerability. I am curious to know if its required for us Nifi users 
> to take some action. Please let me know
>
> Thanks,
> H

Re: Log4j Vunrability

[Pierre Villard]

https://issues.apache.org/jira/browse/NIFI-9482

Le mer. 15 déc. 2021 à 09:44, Ganesh, B (Nokia - IN/Bangalore) <
b.gan...@nokia.com> a écrit :

> Hi All ,
>
> According to latest mitigation plan from Log4J -  (
> https://logging.apache.org/log4j/2.x/security.html) Java 8 (or later)
> users should upgrade to release 2.16.0.
> However NIFI community discussion (
> https://www.mail-archive.com/issues@nifi.apache.org/msg126427.html  )
> Following NIFI-9283, upgrade Log4j to 2.15.0 wherever possible.
>
> Can you please clarify further ?
>
> Thanks & Regards,
> Ganesh.B
>
> -Original Message-
> From: Joe Witt 
> Sent: Tuesday, December 14, 2021 10:16 PM
> To: dev@nifi.apache.org
> Subject: Re: Log4j Vunrability
>
> Bcc'ing you Martin
>
> Yes of course we're very in tuned to what is happening.  The convenience
> binary we sent doesn't contain log4j impacted libs.  But some of the nars
> we publish that people can use do.  We also do not use log4j directly as we
> use slf4j.  But we're not certain that every possible avenue of this is
> shut down so we're treating this as if we must replace it entirely.  To
> that end we are releasing Apache NiFi
> 1.15.1 and doing so in urgent timeline.  There have been issues with the
> release process presumably due to Apache being under so much load.
> But we're on it.  Hopefully vote today/release up/available tomorrow.
> TBD
>
> Thanks
>
> On Tue, Dec 14, 2021 at 9:40 AM Haris Javaid 
> wrote:
> >
> > Hi there,
> > I am sure you guys are aware of the recently found log4j
> > vulnerability. I am curious to know if its required for us Nifi users
> > to take some action. Please let me know
> >
> > Thanks,
> > H
>

Re: [VOTE] Release Apache NiFi 1.15.1 (rc1)

[Kotaro Terada]

+1 (non-binding)

- Verified signatures and hashes.
- Built from source with OpenJDK 8 and OpenJDK 11.
- Ran and tested a couple of flows.
- Checked the dependency does not include log4j less than 2.16.0.

Thank you for managing the release, Joe!

Thanks,
Kotaro


On Wed, Dec 15, 2021 at 12:35 PM Joe Witt  wrote:

> Hello,
>
> I am pleased to be calling this vote for the source release of Apache
> NiFi 1.15.1.
>
> This vote, unlike most, is purely stability and security focused.
> This vote is rooted
> in a prompt response to the 'log4shell' vulnerability and related
> logging announcements.
> It also includes other easy to incorporate bugs and improvements.  It
> should be easy to
> upgrade from any 1.15 install to this and just as easy as it was to go
> from pre 1.15 to
> this 1.15.1.
>
> The source zip, including signatures, digests, etc. can be found at:
> https://repository.apache.org/content/repositories/orgapachenifi-1192
>
> The source being voted upon and the convenience binaries can be found at:
> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
>
> A helpful reminder on how the release candidate verification process works:
>
> https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
>
> The Git tag is nifi-1.15.1-RC1
> The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
>
> https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
>
> Checksums of nifi-1.15.1-source-release.zip:
> SHA256: 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
> SHA512:
> 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
>
> Release artifacts are signed with the following key:
> https://people.apache.org/keys/committer/joewitt.asc
>
> KEYS file available here:
> https://dist.apache.org/repos/dist/release/nifi/KEYS
>
> 45 issues were closed/resolved for this release:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
>
> Release note highlights can be found here:
>
> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
>
> Given the nature of the vote being about a prompt release to remove
> vulnerable
> logging related libraries the vote will be open for 24 hours (instead
> of the normal 72 hours).
>
> Please download the release candidate and evaluate the necessary items
> including checking hashes, signatures, build from source, and test.
> Then please vote:
>
> [ ] +1 Release this package as nifi-1.15.1
> [ ] +0 no opinion
> [ ] -1 Do not release this package because...
>

Re: [VOTE] Release Apache NiFi 1.15.1 (rc1)

[Pierre Villard]

+1 (binding)

Went through the usual steps.
Thanks for taking care of this so quickly!

Pierre

Le mer. 15 déc. 2021 à 10:55, Kotaro Terada  a écrit :

> +1 (non-binding)
>
> - Verified signatures and hashes.
> - Built from source with OpenJDK 8 and OpenJDK 11.
> - Ran and tested a couple of flows.
> - Checked the dependency does not include log4j less than 2.16.0.
>
> Thank you for managing the release, Joe!
>
> Thanks,
> Kotaro
>
>
> On Wed, Dec 15, 2021 at 12:35 PM Joe Witt  wrote:
>
> > Hello,
> >
> > I am pleased to be calling this vote for the source release of Apache
> > NiFi 1.15.1.
> >
> > This vote, unlike most, is purely stability and security focused.
> > This vote is rooted
> > in a prompt response to the 'log4shell' vulnerability and related
> > logging announcements.
> > It also includes other easy to incorporate bugs and improvements.  It
> > should be easy to
> > upgrade from any 1.15 install to this and just as easy as it was to go
> > from pre 1.15 to
> > this 1.15.1.
> >
> > The source zip, including signatures, digests, etc. can be found at:
> > https://repository.apache.org/content/repositories/orgapachenifi-1192
> >
> > The source being voted upon and the convenience binaries can be found at:
> > https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
> >
> > A helpful reminder on how the release candidate verification process
> works:
> >
> >
> https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
> >
> > The Git tag is nifi-1.15.1-RC1
> > The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
> >
> >
> https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
> >
> > Checksums of nifi-1.15.1-source-release.zip:
> > SHA256: 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
> > SHA512:
> >
> 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
> >
> > Release artifacts are signed with the following key:
> > https://people.apache.org/keys/committer/joewitt.asc
> >
> > KEYS file available here:
> > https://dist.apache.org/repos/dist/release/nifi/KEYS
> >
> > 45 issues were closed/resolved for this release:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
> >
> > Release note highlights can be found here:
> >
> >
> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
> >
> > Given the nature of the vote being about a prompt release to remove
> > vulnerable
> > logging related libraries the vote will be open for 24 hours (instead
> > of the normal 72 hours).
> >
> > Please download the release candidate and evaluate the necessary items
> > including checking hashes, signatures, build from source, and test.
> > Then please vote:
> >
> > [ ] +1 Release this package as nifi-1.15.1
> > [ ] +0 no opinion
> > [ ] -1 Do not release this package because...
> >
>

Re: [VOTE] Release Apache NiFi 1.15.1 (rc1)

[Chris Sampson]

+1 (non-binding)

- ran through the release helper
- ran some simple flows with a couple of the new features/bug fixes to
verify

However, I note that there's a Dependabot notice in the GitHub repo
currently for log4j dependencies nested within the Elasticsearch NARs - it
may not be a problem, but thought worth pointing out.


---
*Chris Sampson*
IT Consultant
chris.samp...@naimuri.com


On Wed, 15 Dec 2021 at 09:57, Pierre Villard 
wrote:

> +1 (binding)
>
> Went through the usual steps.
> Thanks for taking care of this so quickly!
>
> Pierre
>
> Le mer. 15 déc. 2021 à 10:55, Kotaro Terada  a écrit :
>
> > +1 (non-binding)
> >
> > - Verified signatures and hashes.
> > - Built from source with OpenJDK 8 and OpenJDK 11.
> > - Ran and tested a couple of flows.
> > - Checked the dependency does not include log4j less than 2.16.0.
> >
> > Thank you for managing the release, Joe!
> >
> > Thanks,
> > Kotaro
> >
> >
> > On Wed, Dec 15, 2021 at 12:35 PM Joe Witt  wrote:
> >
> > > Hello,
> > >
> > > I am pleased to be calling this vote for the source release of Apache
> > > NiFi 1.15.1.
> > >
> > > This vote, unlike most, is purely stability and security focused.
> > > This vote is rooted
> > > in a prompt response to the 'log4shell' vulnerability and related
> > > logging announcements.
> > > It also includes other easy to incorporate bugs and improvements.  It
> > > should be easy to
> > > upgrade from any 1.15 install to this and just as easy as it was to go
> > > from pre 1.15 to
> > > this 1.15.1.
> > >
> > > The source zip, including signatures, digests, etc. can be found at:
> > > https://repository.apache.org/content/repositories/orgapachenifi-1192
> > >
> > > The source being voted upon and the convenience binaries can be found
> at:
> > > https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
> > >
> > > A helpful reminder on how the release candidate verification process
> > works:
> > >
> > >
> >
> https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
> > >
> > > The Git tag is nifi-1.15.1-RC1
> > > The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
> > >
> > >
> >
> https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
> > >
> > > Checksums of nifi-1.15.1-source-release.zip:
> > > SHA256:
> 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
> > > SHA512:
> > >
> >
> 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
> > >
> > > Release artifacts are signed with the following key:
> > > https://people.apache.org/keys/committer/joewitt.asc
> > >
> > > KEYS file available here:
> > > https://dist.apache.org/repos/dist/release/nifi/KEYS
> > >
> > > 45 issues were closed/resolved for this release:
> > >
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
> > >
> > > Release note highlights can be found here:
> > >
> > >
> >
> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
> > >
> > > Given the nature of the vote being about a prompt release to remove
> > > vulnerable
> > > logging related libraries the vote will be open for 24 hours (instead
> > > of the normal 72 hours).
> > >
> > > Please download the release candidate and evaluate the necessary items
> > > including checking hashes, signatures, build from source, and test.
> > > Then please vote:
> > >
> > > [ ] +1 Release this package as nifi-1.15.1
> > > [ ] +0 no opinion
> > > [ ] -1 Do not release this package because...
> > >
> >
>

Re: [VOTE] Release Apache NiFi 1.15.1 (rc1)

[Matt Burgess]

+1 (binding)

Ran through release helper, tested various flows and components
including LogAttribute, InvokeScriptedProcessor, etc. Everything looks
good. Thanks for RM'ing and the quick turnaround Joe!

On Tue, Dec 14, 2021 at 10:35 PM Joe Witt  wrote:
>
> Hello,
>
> I am pleased to be calling this vote for the source release of Apache
> NiFi 1.15.1.
>
> This vote, unlike most, is purely stability and security focused.
> This vote is rooted
> in a prompt response to the 'log4shell' vulnerability and related
> logging announcements.
> It also includes other easy to incorporate bugs and improvements.  It
> should be easy to
> upgrade from any 1.15 install to this and just as easy as it was to go
> from pre 1.15 to
> this 1.15.1.
>
> The source zip, including signatures, digests, etc. can be found at:
> https://repository.apache.org/content/repositories/orgapachenifi-1192
>
> The source being voted upon and the convenience binaries can be found at:
> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
>
> A helpful reminder on how the release candidate verification process works:
> https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
>
> The Git tag is nifi-1.15.1-RC1
> The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
> https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
>
> Checksums of nifi-1.15.1-source-release.zip:
> SHA256: 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
> SHA512: 
> 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
>
> Release artifacts are signed with the following key:
> https://people.apache.org/keys/committer/joewitt.asc
>
> KEYS file available here:
> https://dist.apache.org/repos/dist/release/nifi/KEYS
>
> 45 issues were closed/resolved for this release:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
>
> Release note highlights can be found here:
> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
>
> Given the nature of the vote being about a prompt release to remove vulnerable
> logging related libraries the vote will be open for 24 hours (instead
> of the normal 72 hours).
>
> Please download the release candidate and evaluate the necessary items
> including checking hashes, signatures, build from source, and test.
> Then please vote:
>
> [ ] +1 Release this package as nifi-1.15.1
> [ ] +0 no opinion
> [ ] -1 Do not release this package because...

Release Notes 1.15.1/1.16.0

[Narducci, Emiliano]

Hi Nifi Team,
when will next nifi version to be released?

Thank you,
Best regards,



Emiliano Narducci
Milan - Italy
mobile-phone: 3457754440
email: emiliano.nardu...@accenture.com




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy. Your privacy is important to us. Accenture uses your personal data only 
in compliance with data protection laws. For further information on how 
Accenture processes your personal data, please see our privacy statement at 
https://www.accenture.com/us-en/privacy-policy.
__

www.accenture.com

Re: Release Notes 1.15.1/1.16.0

[Joe Witt]

Hello

If you were subscribed to the list or looking at the list you'd see we
are voting on NiFi 1.15.1 right now.

It could well be available by the end of today.

Thanks

On Wed, Dec 15, 2021 at 9:09 AM Narducci, Emiliano
 wrote:
>
> Hi Nifi Team,
> when will next nifi version to be released?
>
> Thank you,
> Best regards,
>
>
>
> Emiliano Narducci
> Milan - Italy
> mobile-phone: 3457754440
> email: emiliano.nardu...@accenture.com
>
>
> 
>
> This message is for the designated recipient only and may contain privileged, 
> proprietary, or otherwise confidential information. If you have received it 
> in error, please notify the sender immediately and delete the original. Any 
> other use of the e-mail by you is prohibited. Where allowed by local law, 
> electronic communications with Accenture and its affiliates, including e-mail 
> and instant messaging (including content), may be scanned by our systems for 
> the purposes of information security and assessment of internal compliance 
> with Accenture policy. Your privacy is important to us. Accenture uses your 
> personal data only in compliance with data protection laws. For further 
> information on how Accenture processes your personal data, please see our 
> privacy statement at https://www.accenture.com/us-en/privacy-policy.
> __
>
> www.accenture.com

Re: [VOTE] Release Apache NiFi 1.15.1 (rc1)

[Matt Gilman]

+1 (binding)

Ran through the release helper. Looks great.

Thanks for RMing Joe!

On Tue, Dec 14, 2021 at 10:35 PM Joe Witt  wrote:

> Hello,
>
> I am pleased to be calling this vote for the source release of Apache
> NiFi 1.15.1.
>
> This vote, unlike most, is purely stability and security focused.
> This vote is rooted
> in a prompt response to the 'log4shell' vulnerability and related
> logging announcements.
> It also includes other easy to incorporate bugs and improvements.  It
> should be easy to
> upgrade from any 1.15 install to this and just as easy as it was to go
> from pre 1.15 to
> this 1.15.1.
>
> The source zip, including signatures, digests, etc. can be found at:
> https://repository.apache.org/content/repositories/orgapachenifi-1192
>
> The source being voted upon and the convenience binaries can be found at:
> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
>
> A helpful reminder on how the release candidate verification process works:
>
> https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
>
> The Git tag is nifi-1.15.1-RC1
> The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
>
> https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
>
> Checksums of nifi-1.15.1-source-release.zip:
> SHA256: 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
> SHA512:
> 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
>
> Release artifacts are signed with the following key:
> https://people.apache.org/keys/committer/joewitt.asc
>
> KEYS file available here:
> https://dist.apache.org/repos/dist/release/nifi/KEYS
>
> 45 issues were closed/resolved for this release:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
>
> Release note highlights can be found here:
>
> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
>
> Given the nature of the vote being about a prompt release to remove
> vulnerable
> logging related libraries the vote will be open for 24 hours (instead
> of the normal 72 hours).
>
> Please download the release candidate and evaluate the necessary items
> including checking hashes, signatures, build from source, and test.
> Then please vote:
>
> [ ] +1 Release this package as nifi-1.15.1
> [ ] +0 no opinion
> [ ] -1 Do not release this package because...
>

[ANNOUNCE] New Apache NiFi Committer Margot Tien

[Matt Gilman]

Apache NiFi community,

On behalf of the Apache NiFi PMC, I am very pleased to announce that Margot
has accepted the PMC's invitation to become a committer on the Apache NiFi
project. We greatly appreciate all of Margot's hard work and generous
contributions to the project. We look forward to continued involvement in
the project.

Margot has been contributing to NiFi and NiFi Registry for years. Her
contributions have covered both back-end and front-end improvements in both
projects in addition to release verification and thoughtful PR reviews.

Welcome and congratulations!

Re: [ANNOUNCE] New Apache NiFi Committer Margot Tien

[Joe Witt]

Congrats Margot!   And thanks

On Wed, Dec 15, 2021 at 11:46 AM Matt Gilman  wrote:

> Apache NiFi community,
>
> On behalf of the Apache NiFi PMC, I am very pleased to announce that Margot
> has accepted the PMC's invitation to become a committer on the Apache NiFi
> project. We greatly appreciate all of Margot's hard work and generous
> contributions to the project. We look forward to continued involvement in
> the project.
>
> Margot has been contributing to NiFi and NiFi Registry for years. Her
> contributions have covered both back-end and front-end improvements in both
> projects in addition to release verification and thoughtful PR reviews.
>
> Welcome and congratulations!
>

log4j vulnerability

[Tahir Khan]

Hi,
We are on NiFi 1.12.1.
Our security team have notified us about the log4j vulnerability from the below 
jars:

/disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.11.1.jar
/disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.11.1.jar
/disk-5/nifi/work/nar/extensions/nifi-elasticsearch-restapi-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.8.2.jar
/disk-5/nifi/work/nar/extensions/nifi-elasticsearch-restapi-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.13.3.jar
/disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.11.1.jar
/disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.11.1.jar
/disk-5/nifi/work/nar/extensions/nifi-hive3-nar-1.7.0.3.2.0.0-520.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.10.0.jar
/disk-5/nifi/work/nar/extensions/nifi-hive3-nar-1.7.0.3.2.0.0-520.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.10.0.jar

What are the ways of mitigating this vulnerability?
Appreciate the help!
Thanks


Nothing in this message is intended to constitute an electronic signature 
unless a specific statement to the contrary is included in this message.

Confidentiality Note: This message is intended only for the person or entity to 
which it is addressed. It may contain confidential and/or privileged material. 
Any review, transmission, dissemination or other use, or taking of any action 
in reliance upon this message by persons or entities other than the intended 
recipient is prohibited and may be unlawful. If you received this message in 
error, please contact the sender and delete it from your computer.

Re: log4j vulnerability

[Joe Witt]

Tahir

Please read: 
https://exceptionfactory.com/posts/2021/12/14/evaluating-log4shell-and-apache-nifi/

We aren't advocating any mitigations officially at this point as
things have evolved rapidly.  Further as the blog shows you could
simply delete nars listed if those aren't central to your flow's
operation and restart and then you have zero instances of these.

In any event we're releasing Apache NiFI 1.15.1 as we speak.  Bits
hopefully available by this evening.  In that you will have logbacks
latest (for a vulnerability they just announced), log4j 2.16 (for the
vulnerabilities they have announced), and we block all other forms of
log4j 1.x/2.x in the maven reactor for other vulnerabilities
announced.  It should be a pretty complete state.

Furthermore, your versions listed show you're using a vendor release
of the product.  You should work with that vendor if you need patches
to that.

Thanks
Joe

On Wed, Dec 15, 2021 at 11:52 AM Tahir Khan  wrote:
>
> Hi,
> We are on NiFi 1.12.1.
> Our security team have notified us about the log4j vulnerability from the 
> below jars:
>
> /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.11.1.jar
> /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.11.1.jar
> /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-restapi-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.8.2.jar
> /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-restapi-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.13.3.jar
> /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.11.1.jar
> /disk-5/nifi/work/nar/extensions/nifi-elasticsearch-client-service-nar-1.12.1.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.11.1.jar
> /disk-5/nifi/work/nar/extensions/nifi-hive3-nar-1.7.0.3.2.0.0-520.nar-unpacked/NAR-INF/bundled-dependencies/log4j-api-2.10.0.jar
> /disk-5/nifi/work/nar/extensions/nifi-hive3-nar-1.7.0.3.2.0.0-520.nar-unpacked/NAR-INF/bundled-dependencies/log4j-core-2.10.0.jar
>
> What are the ways of mitigating this vulnerability?
> Appreciate the help!
> Thanks
>
>
> Nothing in this message is intended to constitute an electronic signature 
> unless a specific statement to the contrary is included in this message.
>
> Confidentiality Note: This message is intended only for the person or entity 
> to which it is addressed. It may contain confidential and/or privileged 
> material. Any review, transmission, dissemination or other use, or taking of 
> any action in reliance upon this message by persons or entities other than 
> the intended recipient is prohibited and may be unlawful. If you received 
> this message in error, please contact the sender and delete it from your 
> computer.

Re: [VOTE] Release Apache NiFi 1.15.1 (rc1)

[Marton Szasz]

+1 (binding)
Went through the release helper guide, tested with a simple flow.
Thanks for rapidly preparing a release!

Marton

On Wed, 15 Dec 2021 at 16:59, Matt Gilman  wrote:
>
> +1 (binding)
>
> Ran through the release helper. Looks great.
>
> Thanks for RMing Joe!
>
> On Tue, Dec 14, 2021 at 10:35 PM Joe Witt  wrote:
>
> > Hello,
> >
> > I am pleased to be calling this vote for the source release of Apache
> > NiFi 1.15.1.
> >
> > This vote, unlike most, is purely stability and security focused.
> > This vote is rooted
> > in a prompt response to the 'log4shell' vulnerability and related
> > logging announcements.
> > It also includes other easy to incorporate bugs and improvements.  It
> > should be easy to
> > upgrade from any 1.15 install to this and just as easy as it was to go
> > from pre 1.15 to
> > this 1.15.1.
> >
> > The source zip, including signatures, digests, etc. can be found at:
> > https://repository.apache.org/content/repositories/orgapachenifi-1192
> >
> > The source being voted upon and the convenience binaries can be found at:
> > https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
> >
> > A helpful reminder on how the release candidate verification process works:
> >
> > https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
> >
> > The Git tag is nifi-1.15.1-RC1
> > The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
> >
> > https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
> >
> > Checksums of nifi-1.15.1-source-release.zip:
> > SHA256: 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
> > SHA512:
> > 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
> >
> > Release artifacts are signed with the following key:
> > https://people.apache.org/keys/committer/joewitt.asc
> >
> > KEYS file available here:
> > https://dist.apache.org/repos/dist/release/nifi/KEYS
> >
> > 45 issues were closed/resolved for this release:
> >
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
> >
> > Release note highlights can be found here:
> >
> > https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
> >
> > Given the nature of the vote being about a prompt release to remove
> > vulnerable
> > logging related libraries the vote will be open for 24 hours (instead
> > of the normal 72 hours).
> >
> > Please download the release candidate and evaluate the necessary items
> > including checking hashes, signatures, build from source, and test.
> > Then please vote:
> >
> > [ ] +1 Release this package as nifi-1.15.1
> > [ ] +0 no opinion
> > [ ] -1 Do not release this package because...
> >

Re: [ANNOUNCE] New Apache NiFi Committer Margot Tien

[Kevin Doran]

Congratulations Margot! Well deserved.

> On Dec 15, 2021, at 13:47, Joe Witt  wrote:
> 
> Congrats Margot!   And thanks
> 
> On Wed, Dec 15, 2021 at 11:46 AM Matt Gilman  wrote:
> 
>> Apache NiFi community,
>> 
>> On behalf of the Apache NiFi PMC, I am very pleased to announce that Margot
>> has accepted the PMC's invitation to become a committer on the Apache NiFi
>> project. We greatly appreciate all of Margot's hard work and generous
>> contributions to the project. We look forward to continued involvement in
>> the project.
>> 
>> Margot has been contributing to NiFi and NiFi Registry for years. Her
>> contributions have covered both back-end and front-end improvements in both
>> projects in addition to release verification and thoughtful PR reviews.
>> 
>> Welcome and congratulations!
>> 

Re: [VOTE] Release Apache NiFi 1.15.1 (rc1)

[Joe Gresock]

+1 (non-binding) -- ran through the release guide and ran a basic flow with
no problems

On Tue, Dec 14, 2021 at 10:35 PM Joe Witt  wrote:

> Hello,
>
> I am pleased to be calling this vote for the source release of Apache
> NiFi 1.15.1.
>
> This vote, unlike most, is purely stability and security focused.
> This vote is rooted
> in a prompt response to the 'log4shell' vulnerability and related
> logging announcements.
> It also includes other easy to incorporate bugs and improvements.  It
> should be easy to
> upgrade from any 1.15 install to this and just as easy as it was to go
> from pre 1.15 to
> this 1.15.1.
>
> The source zip, including signatures, digests, etc. can be found at:
> https://repository.apache.org/content/repositories/orgapachenifi-1192
>
> The source being voted upon and the convenience binaries can be found at:
> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
>
> A helpful reminder on how the release candidate verification process works:
>
> https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
>
> The Git tag is nifi-1.15.1-RC1
> The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
>
> https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
>
> Checksums of nifi-1.15.1-source-release.zip:
> SHA256: 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
> SHA512:
> 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
>
> Release artifacts are signed with the following key:
> https://people.apache.org/keys/committer/joewitt.asc
>
> KEYS file available here:
> https://dist.apache.org/repos/dist/release/nifi/KEYS
>
> 45 issues were closed/resolved for this release:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
>
> Release note highlights can be found here:
>
> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
>
> Given the nature of the vote being about a prompt release to remove
> vulnerable
> logging related libraries the vote will be open for 24 hours (instead
> of the normal 72 hours).
>
> Please download the release candidate and evaluate the necessary items
> including checking hashes, signatures, build from source, and test.
> Then please vote:
>
> [ ] +1 Release this package as nifi-1.15.1
> [ ] +0 no opinion
> [ ] -1 Do not release this package because...
>

Re: [ANNOUNCE] New Apache NiFi Committer Margot Tien

[Matt Burgess]

Congratulations Margot!!

On Wed, Dec 15, 2021 at 1:46 PM Matt Gilman  wrote:
>
> Apache NiFi community,
>
> On behalf of the Apache NiFi PMC, I am very pleased to announce that Margot
> has accepted the PMC's invitation to become a committer on the Apache NiFi
> project. We greatly appreciate all of Margot's hard work and generous
> contributions to the project. We look forward to continued involvement in
> the project.
>
> Margot has been contributing to NiFi and NiFi Registry for years. Her
> contributions have covered both back-end and front-end improvements in both
> projects in addition to release verification and thoughtful PR reviews.
>
> Welcome and congratulations!

Re: [ANNOUNCE] New Apache NiFi Committer Margot Tien

[Pierre Villard]

Congrats Margot!

Le mer. 15 déc. 2021 à 20:00, Kevin Doran  a écrit :

> Congratulations Margot! Well deserved.
>
> > On Dec 15, 2021, at 13:47, Joe Witt  wrote:
> >
> > Congrats Margot!   And thanks
> >
> > On Wed, Dec 15, 2021 at 11:46 AM Matt Gilman 
> wrote:
> >
> >> Apache NiFi community,
> >>
> >> On behalf of the Apache NiFi PMC, I am very pleased to announce that
> Margot
> >> has accepted the PMC's invitation to become a committer on the Apache
> NiFi
> >> project. We greatly appreciate all of Margot's hard work and generous
> >> contributions to the project. We look forward to continued involvement
> in
> >> the project.
> >>
> >> Margot has been contributing to NiFi and NiFi Registry for years. Her
> >> contributions have covered both back-end and front-end improvements in
> both
> >> projects in addition to release verification and thoughtful PR reviews.
> >>
> >> Welcome and congratulations!
> >>
>
>

Re: [VOTE] Release Apache NiFi 1.15.1 (rc1)

[Mark Payne]

+1 (binding)

Was able to verify hash & signature.
Completed full build w/ all unit tests
Ran system tests with all completing successfully

Started a standalone instance with OOTB config and verified all was ok

Started a secure cluster and ran some dummy flows to ensure that data was 
processing as expected. Encountered no issues.

Built a dataflow that unpacks the entire archive and recursively unpacks all 
nars, jars, tars, gzip, zip, etc. and looks for any JndiLookup.class files. 
This way, even if a log4j dependency were shaded, it would still be flagged. 
Was able to find that older builds have several NARs packaged that had a 
JndiLookup.class but can confirm that this build contains no instances of it.

Thanks for turning around the RC and the vote and performing the RM duties so 
quickly Joe!

-Mark


> On Dec 15, 2021, at 2:02 PM, Joe Gresock  wrote:
> 
> +1 (non-binding) -- ran through the release guide and ran a basic flow with
> no problems
> 
> On Tue, Dec 14, 2021 at 10:35 PM Joe Witt  wrote:
> 
>> Hello,
>> 
>> I am pleased to be calling this vote for the source release of Apache
>> NiFi 1.15.1.
>> 
>> This vote, unlike most, is purely stability and security focused.
>> This vote is rooted
>> in a prompt response to the 'log4shell' vulnerability and related
>> logging announcements.
>> It also includes other easy to incorporate bugs and improvements.  It
>> should be easy to
>> upgrade from any 1.15 install to this and just as easy as it was to go
>> from pre 1.15 to
>> this 1.15.1.
>> 
>> The source zip, including signatures, digests, etc. can be found at:
>> https://repository.apache.org/content/repositories/orgapachenifi-1192
>> 
>> The source being voted upon and the convenience binaries can be found at:
>> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
>> 
>> A helpful reminder on how the release candidate verification process works:
>> 
>> https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
>> 
>> The Git tag is nifi-1.15.1-RC1
>> The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
>> 
>> https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
>> 
>> Checksums of nifi-1.15.1-source-release.zip:
>> SHA256: 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
>> SHA512:
>> 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
>> 
>> Release artifacts are signed with the following key:
>> https://people.apache.org/keys/committer/joewitt.asc
>> 
>> KEYS file available here:
>> https://dist.apache.org/repos/dist/release/nifi/KEYS
>> 
>> 45 issues were closed/resolved for this release:
>> 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
>> 
>> Release note highlights can be found here:
>> 
>> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
>> 
>> Given the nature of the vote being about a prompt release to remove
>> vulnerable
>> logging related libraries the vote will be open for 24 hours (instead
>> of the normal 72 hours).
>> 
>> Please download the release candidate and evaluate the necessary items
>> including checking hashes, signatures, build from source, and test.
>> Then please vote:
>> 
>> [ ] +1 Release this package as nifi-1.15.1
>> [ ] +0 no opinion
>> [ ] -1 Do not release this package because...
>> 

Re: [VOTE] Release Apache NiFi 1.15.1 (rc1)

[Joe Witt]

+1 binding

On Wed, Dec 15, 2021 at 12:25 PM Mark Payne  wrote:
>
> +1 (binding)
>
> Was able to verify hash & signature.
> Completed full build w/ all unit tests
> Ran system tests with all completing successfully
>
> Started a standalone instance with OOTB config and verified all was ok
>
> Started a secure cluster and ran some dummy flows to ensure that data was 
> processing as expected. Encountered no issues.
>
> Built a dataflow that unpacks the entire archive and recursively unpacks all 
> nars, jars, tars, gzip, zip, etc. and looks for any JndiLookup.class files. 
> This way, even if a log4j dependency were shaded, it would still be flagged. 
> Was able to find that older builds have several NARs packaged that had a 
> JndiLookup.class but can confirm that this build contains no instances of it.
>
> Thanks for turning around the RC and the vote and performing the RM duties so 
> quickly Joe!
>
> -Mark
>
>
> > On Dec 15, 2021, at 2:02 PM, Joe Gresock  wrote:
> >
> > +1 (non-binding) -- ran through the release guide and ran a basic flow with
> > no problems
> >
> > On Tue, Dec 14, 2021 at 10:35 PM Joe Witt  wrote:
> >
> >> Hello,
> >>
> >> I am pleased to be calling this vote for the source release of Apache
> >> NiFi 1.15.1.
> >>
> >> This vote, unlike most, is purely stability and security focused.
> >> This vote is rooted
> >> in a prompt response to the 'log4shell' vulnerability and related
> >> logging announcements.
> >> It also includes other easy to incorporate bugs and improvements.  It
> >> should be easy to
> >> upgrade from any 1.15 install to this and just as easy as it was to go
> >> from pre 1.15 to
> >> this 1.15.1.
> >>
> >> The source zip, including signatures, digests, etc. can be found at:
> >> https://repository.apache.org/content/repositories/orgapachenifi-1192
> >>
> >> The source being voted upon and the convenience binaries can be found at:
> >> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
> >>
> >> A helpful reminder on how the release candidate verification process works:
> >>
> >> https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
> >>
> >> The Git tag is nifi-1.15.1-RC1
> >> The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
> >>
> >> https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
> >>
> >> Checksums of nifi-1.15.1-source-release.zip:
> >> SHA256: 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
> >> SHA512:
> >> 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
> >>
> >> Release artifacts are signed with the following key:
> >> https://people.apache.org/keys/committer/joewitt.asc
> >>
> >> KEYS file available here:
> >> https://dist.apache.org/repos/dist/release/nifi/KEYS
> >>
> >> 45 issues were closed/resolved for this release:
> >>
> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
> >>
> >> Release note highlights can be found here:
> >>
> >> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
> >>
> >> Given the nature of the vote being about a prompt release to remove
> >> vulnerable
> >> logging related libraries the vote will be open for 24 hours (instead
> >> of the normal 72 hours).
> >>
> >> Please download the release candidate and evaluate the necessary items
> >> including checking hashes, signatures, build from source, and test.
> >> Then please vote:
> >>
> >> [ ] +1 Release this package as nifi-1.15.1
> >> [ ] +0 no opinion
> >> [ ] -1 Do not release this package because...
> >>
>

[RESULT][VOTE] Release Apache NiFi 1.15.1 (rc1)

[Joe Witt]

Apache NiFi Community,

I am pleased to announce that the 1.15.1 release of Apache NiFi passes with
6 +1 (binding) votes
3 +1 (non-binding) votes
0 0 votes
0 -1 votes (non-binding) votes

Thank you all for quickly making this release and vote work out so
quickly.  It was a shortened 24 hour vote which I'm closing a bit
early given the language found in policy
https://www.apache.org/foundation/voting.html#ReleaseVotes.  Doing
this promptly to get a clear/precise answer to the growing emails,
slack messages, and JIRAs on this topic.

Here is the PMC vote thread:
https://lists.apache.org/thread/4ypxoxv2fnlh6wm0njjhxvxnfo846330



On Wed, Dec 15, 2021 at 12:26 PM Joe Witt  wrote:
>
> +1 binding
>
> On Wed, Dec 15, 2021 at 12:25 PM Mark Payne  wrote:
> >
> > +1 (binding)
> >
> > Was able to verify hash & signature.
> > Completed full build w/ all unit tests
> > Ran system tests with all completing successfully
> >
> > Started a standalone instance with OOTB config and verified all was ok
> >
> > Started a secure cluster and ran some dummy flows to ensure that data was 
> > processing as expected. Encountered no issues.
> >
> > Built a dataflow that unpacks the entire archive and recursively unpacks 
> > all nars, jars, tars, gzip, zip, etc. and looks for any JndiLookup.class 
> > files. This way, even if a log4j dependency were shaded, it would still be 
> > flagged. Was able to find that older builds have several NARs packaged that 
> > had a JndiLookup.class but can confirm that this build contains no 
> > instances of it.
> >
> > Thanks for turning around the RC and the vote and performing the RM duties 
> > so quickly Joe!
> >
> > -Mark
> >
> >
> > > On Dec 15, 2021, at 2:02 PM, Joe Gresock  wrote:
> > >
> > > +1 (non-binding) -- ran through the release guide and ran a basic flow 
> > > with
> > > no problems
> > >
> > > On Tue, Dec 14, 2021 at 10:35 PM Joe Witt  wrote:
> > >
> > >> Hello,
> > >>
> > >> I am pleased to be calling this vote for the source release of Apache
> > >> NiFi 1.15.1.
> > >>
> > >> This vote, unlike most, is purely stability and security focused.
> > >> This vote is rooted
> > >> in a prompt response to the 'log4shell' vulnerability and related
> > >> logging announcements.
> > >> It also includes other easy to incorporate bugs and improvements.  It
> > >> should be easy to
> > >> upgrade from any 1.15 install to this and just as easy as it was to go
> > >> from pre 1.15 to
> > >> this 1.15.1.
> > >>
> > >> The source zip, including signatures, digests, etc. can be found at:
> > >> https://repository.apache.org/content/repositories/orgapachenifi-1192
> > >>
> > >> The source being voted upon and the convenience binaries can be found at:
> > >> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
> > >>
> > >> A helpful reminder on how the release candidate verification process 
> > >> works:
> > >>
> > >> https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
> > >>
> > >> The Git tag is nifi-1.15.1-RC1
> > >> The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
> > >>
> > >> https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
> > >>
> > >> Checksums of nifi-1.15.1-source-release.zip:
> > >> SHA256: 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
> > >> SHA512:
> > >> 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
> > >>
> > >> Release artifacts are signed with the following key:
> > >> https://people.apache.org/keys/committer/joewitt.asc
> > >>
> > >> KEYS file available here:
> > >> https://dist.apache.org/repos/dist/release/nifi/KEYS
> > >>
> > >> 45 issues were closed/resolved for this release:
> > >>
> > >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
> > >>
> > >> Release note highlights can be found here:
> > >>
> > >> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
> > >>
> > >> Given the nature of the vote being about a prompt release to remove
> > >> vulnerable
> > >> logging related libraries the vote will be open for 24 hours (instead
> > >> of the normal 72 hours).
> > >>
> > >> Please download the release candidate and evaluate the necessary items
> > >> including checking hashes, signatures, build from source, and test.
> > >> Then please vote:
> > >>
> > >> [ ] +1 Release this package as nifi-1.15.1
> > >> [ ] +0 no opinion
> > >> [ ] -1 Do not release this package because...
> > >>
> >

Re: [ANNOUNCE] New Apache NiFi Committer Margot Tien

[Chris Sampson]

Congrat Margot!

---
*Chris Sampson*
IT Consultant
chris.samp...@naimuri.com


On Wed, 15 Dec 2021 at 19:04, Pierre Villard 
wrote:

> Congrats Margot!
>
> Le mer. 15 déc. 2021 à 20:00, Kevin Doran  a écrit :
>
> > Congratulations Margot! Well deserved.
> >
> > > On Dec 15, 2021, at 13:47, Joe Witt  wrote:
> > >
> > > Congrats Margot!   And thanks
> > >
> > > On Wed, Dec 15, 2021 at 11:46 AM Matt Gilman 
> > wrote:
> > >
> > >> Apache NiFi community,
> > >>
> > >> On behalf of the Apache NiFi PMC, I am very pleased to announce that
> > Margot
> > >> has accepted the PMC's invitation to become a committer on the Apache
> > NiFi
> > >> project. We greatly appreciate all of Margot's hard work and generous
> > >> contributions to the project. We look forward to continued involvement
> > in
> > >> the project.
> > >>
> > >> Margot has been contributing to NiFi and NiFi Registry for years. Her
> > >> contributions have covered both back-end and front-end improvements in
> > both
> > >> projects in addition to release verification and thoughtful PR
> reviews.
> > >>
> > >> Welcome and congratulations!
> > >>
> >
> >
>

Re: [RESULT][VOTE] Release Apache NiFi 1.15.1 (rc1)

[Nathan Gough]

Little bit late but +1 non binding, verified the hashes and tested a secure
cluster + secure external ZK and some data flows.

On Wed, Dec 15, 2021 at 2:31 PM Joe Witt  wrote:

> Apache NiFi Community,
>
> I am pleased to announce that the 1.15.1 release of Apache NiFi passes with
> 6 +1 (binding) votes
> 3 +1 (non-binding) votes
> 0 0 votes
> 0 -1 votes (non-binding) votes
>
> Thank you all for quickly making this release and vote work out so
> quickly.  It was a shortened 24 hour vote which I'm closing a bit
> early given the language found in policy
> https://www.apache.org/foundation/voting.html#ReleaseVotes.  Doing
> this promptly to get a clear/precise answer to the growing emails,
> slack messages, and JIRAs on this topic.
>
> Here is the PMC vote thread:
> https://lists.apache.org/thread/4ypxoxv2fnlh6wm0njjhxvxnfo846330
>
>
>
> On Wed, Dec 15, 2021 at 12:26 PM Joe Witt  wrote:
> >
> > +1 binding
> >
> > On Wed, Dec 15, 2021 at 12:25 PM Mark Payne 
> wrote:
> > >
> > > +1 (binding)
> > >
> > > Was able to verify hash & signature.
> > > Completed full build w/ all unit tests
> > > Ran system tests with all completing successfully
> > >
> > > Started a standalone instance with OOTB config and verified all was ok
> > >
> > > Started a secure cluster and ran some dummy flows to ensure that data
> was processing as expected. Encountered no issues.
> > >
> > > Built a dataflow that unpacks the entire archive and recursively
> unpacks all nars, jars, tars, gzip, zip, etc. and looks for any
> JndiLookup.class files. This way, even if a log4j dependency were shaded,
> it would still be flagged. Was able to find that older builds have several
> NARs packaged that had a JndiLookup.class but can confirm that this build
> contains no instances of it.
> > >
> > > Thanks for turning around the RC and the vote and performing the RM
> duties so quickly Joe!
> > >
> > > -Mark
> > >
> > >
> > > > On Dec 15, 2021, at 2:02 PM, Joe Gresock  wrote:
> > > >
> > > > +1 (non-binding) -- ran through the release guide and ran a basic
> flow with
> > > > no problems
> > > >
> > > > On Tue, Dec 14, 2021 at 10:35 PM Joe Witt 
> wrote:
> > > >
> > > >> Hello,
> > > >>
> > > >> I am pleased to be calling this vote for the source release of
> Apache
> > > >> NiFi 1.15.1.
> > > >>
> > > >> This vote, unlike most, is purely stability and security focused.
> > > >> This vote is rooted
> > > >> in a prompt response to the 'log4shell' vulnerability and related
> > > >> logging announcements.
> > > >> It also includes other easy to incorporate bugs and improvements.
> It
> > > >> should be easy to
> > > >> upgrade from any 1.15 install to this and just as easy as it was to
> go
> > > >> from pre 1.15 to
> > > >> this 1.15.1.
> > > >>
> > > >> The source zip, including signatures, digests, etc. can be found at:
> > > >>
> https://repository.apache.org/content/repositories/orgapachenifi-1192
> > > >>
> > > >> The source being voted upon and the convenience binaries can be
> found at:
> > > >> https://dist.apache.org/repos/dist/dev/nifi/nifi-1.15.1/
> > > >>
> > > >> A helpful reminder on how the release candidate verification
> process works:
> > > >>
> > > >>
> https://cwiki.apache.org/confluence/display/NIFI/How+to+help+verify+an+Apache+NiFi+release+candidate
> > > >>
> > > >> The Git tag is nifi-1.15.1-RC1
> > > >> The Git commit ID is 2a756372fc7097ece6258c2af47b9a5f26384b02
> > > >>
> > > >>
> https://gitbox.apache.org/repos/asf?p=nifi.git;a=commit;h=2a756372fc7097ece6258c2af47b9a5f26384b02
> > > >>
> > > >> Checksums of nifi-1.15.1-source-release.zip:
> > > >> SHA256:
> 83d06011f0d2608d2d9cf951deae04d7b0921f2a7c8b1052ca9d058cf46b7d52
> > > >> SHA512:
> > > >>
> 009161e81e207a16060d9efd37e9b9abd1c1d5b5d57024a2b4c0d0ea17050f65b3a025632718161cba41948fe51d93aed65a4daba2542fce4da51d0184872039
> > > >>
> > > >> Release artifacts are signed with the following key:
> > > >> https://people.apache.org/keys/committer/joewitt.asc
> > > >>
> > > >> KEYS file available here:
> > > >> https://dist.apache.org/repos/dist/release/nifi/KEYS
> > > >>
> > > >> 45 issues were closed/resolved for this release:
> > > >>
> > > >>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055
> > > >>
> > > >> Release note highlights can be found here:
> > > >>
> > > >>
> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1
> > > >>
> > > >> Given the nature of the vote being about a prompt release to remove
> > > >> vulnerable
> > > >> logging related libraries the vote will be open for 24 hours
> (instead
> > > >> of the normal 72 hours).
> > > >>
> > > >> Please download the release candidate and evaluate the necessary
> items
> > > >> including checking hashes, signatures, build from source, and test.
> > > >> Then please vote:
> > > >>
> > > >> [ ] +1 Release this package as nifi-1.15.1
> > > >> [ ] +0 no opinion
> > > >> [ ] -1 Do not release this package because...
> > > 

Re: [ANNOUNCE] New Apache NiFi Committer Margot Tien

[Nathan Gough]

Congrats Margot, thanks for all your contributions!

On Wed, Dec 15, 2021 at 3:02 PM Chris Sampson
 wrote:

> Congrat Margot!
>
> ---
> *Chris Sampson*
> IT Consultant
> chris.samp...@naimuri.com
>
>
> On Wed, 15 Dec 2021 at 19:04, Pierre Villard 
> wrote:
>
> > Congrats Margot!
> >
> > Le mer. 15 déc. 2021 à 20:00, Kevin Doran  a écrit :
> >
> > > Congratulations Margot! Well deserved.
> > >
> > > > On Dec 15, 2021, at 13:47, Joe Witt  wrote:
> > > >
> > > > Congrats Margot!   And thanks
> > > >
> > > > On Wed, Dec 15, 2021 at 11:46 AM Matt Gilman 
> > > wrote:
> > > >
> > > >> Apache NiFi community,
> > > >>
> > > >> On behalf of the Apache NiFi PMC, I am very pleased to announce that
> > > Margot
> > > >> has accepted the PMC's invitation to become a committer on the
> Apache
> > > NiFi
> > > >> project. We greatly appreciate all of Margot's hard work and
> generous
> > > >> contributions to the project. We look forward to continued
> involvement
> > > in
> > > >> the project.
> > > >>
> > > >> Margot has been contributing to NiFi and NiFi Registry for years.
> Her
> > > >> contributions have covered both back-end and front-end improvements
> in
> > > both
> > > >> projects in addition to release verification and thoughtful PR
> > reviews.
> > > >>
> > > >> Welcome and congratulations!
> > > >>
> > >
> > >
> >
>

Re: [ANNOUNCE] New Apache NiFi Committer Margot Tien

[David Handermann]

Congratulations Margot!

On Wed, Dec 15, 2021 at 2:50 PM Nathan Gough  wrote:

> Congrats Margot, thanks for all your contributions!
>
> On Wed, Dec 15, 2021 at 3:02 PM Chris Sampson
>  wrote:
>
> > Congrat Margot!
> >
> > ---
> > *Chris Sampson*
> > IT Consultant
> > chris.samp...@naimuri.com
> >
> >
> > On Wed, 15 Dec 2021 at 19:04, Pierre Villard <
> pierre.villard...@gmail.com>
> > wrote:
> >
> > > Congrats Margot!
> > >
> > > Le mer. 15 déc. 2021 à 20:00, Kevin Doran  a écrit
> :
> > >
> > > > Congratulations Margot! Well deserved.
> > > >
> > > > > On Dec 15, 2021, at 13:47, Joe Witt  wrote:
> > > > >
> > > > > Congrats Margot!   And thanks
> > > > >
> > > > > On Wed, Dec 15, 2021 at 11:46 AM Matt Gilman 
> > > > wrote:
> > > > >
> > > > >> Apache NiFi community,
> > > > >>
> > > > >> On behalf of the Apache NiFi PMC, I am very pleased to announce
> that
> > > > Margot
> > > > >> has accepted the PMC's invitation to become a committer on the
> > Apache
> > > > NiFi
> > > > >> project. We greatly appreciate all of Margot's hard work and
> > generous
> > > > >> contributions to the project. We look forward to continued
> > involvement
> > > > in
> > > > >> the project.
> > > > >>
> > > > >> Margot has been contributing to NiFi and NiFi Registry for years.
> > Her
> > > > >> contributions have covered both back-end and front-end
> improvements
> > in
> > > > both
> > > > >> projects in addition to release verification and thoughtful PR
> > > reviews.
> > > > >>
> > > > >> Welcome and congratulations!
> > > > >>
> > > >
> > > >
> > >
> >
>

[ANNOUNCE] Apache NiFi 1.15.1 release

[Joe Witt]

Hello

The Apache NiFi team would like to announce the release of Apache NiFi 1.15.1.

This is a bug, improvement, and security focused release.  The primary
intent is a
prompt release which ensures we no longer use any log4j 1.x or 2.x prior to 2.16
artifacts and we also update to the latest logback.  But there are a
host of other
bugs and improvements included.

Apache NiFi is an easy to use, powerful, and reliable system to
process and distribute
data.  Apache NiFi was made for dataflow.  It supports highly
configurable directed graphs
of data routing, transformation, and system mediation logic.

More details on Apache NiFi can be found here:
https://nifi.apache.org/

The release artifacts can be downloaded from here:
https://nifi.apache.org/download.html

Maven artifacts have been made available and mirrored as per normal
ASF artifact processes.

Issues closed/resolved for this list can be found here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12351055

Release note highlights can be found here:
https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.15.1

Thank you
The Apache NiFi team