Re: Log4j, CVE-2021-44228, and Mahout
@Musselman, I sent invite directly to you. @Anyone-else-interested, please don't be shy, join us: Apache Mahout Tuesday, December 28 · 5:00 – 6:00pm (CST, -0600) Google Meet joining info Video call link: https://meet.google.com/ajg-rxbo-jvw On Thu, Dec 23, 2021 at 12:33 PM Trevor Grant wrote: > Works for me- if anyone else wants to join and that time doesn't work > (17:00 -6:00 UTC), speak up. > > On Thu, Dec 23, 2021 at 12:22 PM Andrew Musselman < > andrew.mussel...@gmail.com> wrote: > >> Works for me; have a good holiday and see you Tuesday. Five p.m. Central >> maybe? >> >> On Tue, Dec 21, 2021 at 12:56 PM Trevor Grant >> wrote: >> >> > I don't think we set a time / place to meet tonight- >> > >> > I propose punting to next week, I'll probably hack a bit tonight- just >> send >> > a proposed time / channel. >> > >> > tg >> > >> > On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman < >> > andrew.mussel...@gmail.com> >> > wrote: >> > >> > > Good for me >> > > >> > > On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant < >> trevor.d.gr...@gmail.com> >> > > wrote: >> > > >> > > > Love this idea, how about Tuesday evenings, starting the 21st ( a >> week >> > > from >> > > > tonight ) >> > > > >> > > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman < >> > > > andrew.mussel...@gmail.com> >> > > > wrote: >> > > > >> > > > > Thanks Trevor; may be a good time to revive our online meetings to >> > talk >> > > > > through this one.. >> > > > > >> > > > > I could find time during the holiday break pretty much any day; if >> > > anyone >> > > > > else is interested let us know if there's a good time to chat. >> > > > > >> > > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant < >> > trevor.d.gr...@gmail.com >> > > > >> > > > > wrote: >> > > > > >> > > > > > Many of you have probably become aware of Log4j's vulnerability >> to >> > > > > > CVE-2021-44228 recently. >> > > > > > >> > > > > > Though Mahout is a sleepy project, we are vigilant and want you >> to >> > > know >> > > > > we >> > > > > > are aware of the issue and have been monitoring. >> > > > > > >> > > > > > First, let me assure you that since Mahout (like over 90% of >> log4j >> > > > users) >> > > > > > is on version 1.x it is not vulnerable to the JDNI remote >> execution >> > > > > attack >> > > > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably >> time >> > to >> > > > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2]. >> > > > > > >> > > > > > The update isn't too complex, but it's also not trivial, and >> most >> > > > > > importantly it's not critical so you're not endangering anything >> > > > running >> > > > > > Mahout, and we'll hopefully get it in for the next release in a >> > > couple >> > > > of >> > > > > > months. >> > > > > > >> > > > > > Hope this helps everyone feel secure going into their holiday >> > season. >> > > > > > >> > > > > > ~Trevor >> > > > > > >> > > > > > [1] http://slf4j.org/log4shell.html >> > > > > > [2] >> > > https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140 >> > > > > > >> > > > > >> > > > >> > > >> > >> >
Re: Log4j, CVE-2021-44228, and Mahout
Works for me- if anyone else wants to join and that time doesn't work (17:00 -6:00 UTC), speak up. On Thu, Dec 23, 2021 at 12:22 PM Andrew Musselman < andrew.mussel...@gmail.com> wrote: > Works for me; have a good holiday and see you Tuesday. Five p.m. Central > maybe? > > On Tue, Dec 21, 2021 at 12:56 PM Trevor Grant > wrote: > > > I don't think we set a time / place to meet tonight- > > > > I propose punting to next week, I'll probably hack a bit tonight- just > send > > a proposed time / channel. > > > > tg > > > > On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman < > > andrew.mussel...@gmail.com> > > wrote: > > > > > Good for me > > > > > > On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant > > > > wrote: > > > > > > > Love this idea, how about Tuesday evenings, starting the 21st ( a > week > > > from > > > > tonight ) > > > > > > > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman < > > > > andrew.mussel...@gmail.com> > > > > wrote: > > > > > > > > > Thanks Trevor; may be a good time to revive our online meetings to > > talk > > > > > through this one.. > > > > > > > > > > I could find time during the holiday break pretty much any day; if > > > anyone > > > > > else is interested let us know if there's a good time to chat. > > > > > > > > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant < > > trevor.d.gr...@gmail.com > > > > > > > > > wrote: > > > > > > > > > > > Many of you have probably become aware of Log4j's vulnerability > to > > > > > > CVE-2021-44228 recently. > > > > > > > > > > > > Though Mahout is a sleepy project, we are vigilant and want you > to > > > know > > > > > we > > > > > > are aware of the issue and have been monitoring. > > > > > > > > > > > > First, let me assure you that since Mahout (like over 90% of > log4j > > > > users) > > > > > > is on version 1.x it is not vulnerable to the JDNI remote > execution > > > > > attack > > > > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably > time > > to > > > > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2]. > > > > > > > > > > > > The update isn't too complex, but it's also not trivial, and most > > > > > > importantly it's not critical so you're not endangering anything > > > > running > > > > > > Mahout, and we'll hopefully get it in for the next release in a > > > couple > > > > of > > > > > > months. > > > > > > > > > > > > Hope this helps everyone feel secure going into their holiday > > season. > > > > > > > > > > > > ~Trevor > > > > > > > > > > > > [1] http://slf4j.org/log4shell.html > > > > > > [2] > > > https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140 > > > > > > > > > > > > > > > > > > > > >
Re: Log4j, CVE-2021-44228, and Mahout
Works for me; have a good holiday and see you Tuesday. Five p.m. Central maybe? On Tue, Dec 21, 2021 at 12:56 PM Trevor Grant wrote: > I don't think we set a time / place to meet tonight- > > I propose punting to next week, I'll probably hack a bit tonight- just send > a proposed time / channel. > > tg > > On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman < > andrew.mussel...@gmail.com> > wrote: > > > Good for me > > > > On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant > > wrote: > > > > > Love this idea, how about Tuesday evenings, starting the 21st ( a week > > from > > > tonight ) > > > > > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman < > > > andrew.mussel...@gmail.com> > > > wrote: > > > > > > > Thanks Trevor; may be a good time to revive our online meetings to > talk > > > > through this one.. > > > > > > > > I could find time during the holiday break pretty much any day; if > > anyone > > > > else is interested let us know if there's a good time to chat. > > > > > > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant < > trevor.d.gr...@gmail.com > > > > > > > wrote: > > > > > > > > > Many of you have probably become aware of Log4j's vulnerability to > > > > > CVE-2021-44228 recently. > > > > > > > > > > Though Mahout is a sleepy project, we are vigilant and want you to > > know > > > > we > > > > > are aware of the issue and have been monitoring. > > > > > > > > > > First, let me assure you that since Mahout (like over 90% of log4j > > > users) > > > > > is on version 1.x it is not vulnerable to the JDNI remote execution > > > > attack > > > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably time > to > > > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2]. > > > > > > > > > > The update isn't too complex, but it's also not trivial, and most > > > > > importantly it's not critical so you're not endangering anything > > > running > > > > > Mahout, and we'll hopefully get it in for the next release in a > > couple > > > of > > > > > months. > > > > > > > > > > Hope this helps everyone feel secure going into their holiday > season. > > > > > > > > > > ~Trevor > > > > > > > > > > [1] http://slf4j.org/log4shell.html > > > > > [2] > > https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140 > > > > > > > > > > > > > > >
Re: Log4j, CVE-2021-44228, and Mahout
I don't think we set a time / place to meet tonight- I propose punting to next week, I'll probably hack a bit tonight- just send a proposed time / channel. tg On Wed, Dec 15, 2021 at 8:52 AM Andrew Musselman wrote: > Good for me > > On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant > wrote: > > > Love this idea, how about Tuesday evenings, starting the 21st ( a week > from > > tonight ) > > > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman < > > andrew.mussel...@gmail.com> > > wrote: > > > > > Thanks Trevor; may be a good time to revive our online meetings to talk > > > through this one.. > > > > > > I could find time during the holiday break pretty much any day; if > anyone > > > else is interested let us know if there's a good time to chat. > > > > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant > > > > wrote: > > > > > > > Many of you have probably become aware of Log4j's vulnerability to > > > > CVE-2021-44228 recently. > > > > > > > > Though Mahout is a sleepy project, we are vigilant and want you to > know > > > we > > > > are aware of the issue and have been monitoring. > > > > > > > > First, let me assure you that since Mahout (like over 90% of log4j > > users) > > > > is on version 1.x it is not vulnerable to the JDNI remote execution > > > attack > > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably time to > > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2]. > > > > > > > > The update isn't too complex, but it's also not trivial, and most > > > > importantly it's not critical so you're not endangering anything > > running > > > > Mahout, and we'll hopefully get it in for the next release in a > couple > > of > > > > months. > > > > > > > > Hope this helps everyone feel secure going into their holiday season. > > > > > > > > ~Trevor > > > > > > > > [1] http://slf4j.org/log4shell.html > > > > [2] > https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140 > > > > > > > > > >
Re: Log4j, CVE-2021-44228, and Mahout
Good for me On Tue, Dec 14, 2021 at 6:13 AM Trevor Grant wrote: > Love this idea, how about Tuesday evenings, starting the 21st ( a week from > tonight ) > > On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman < > andrew.mussel...@gmail.com> > wrote: > > > Thanks Trevor; may be a good time to revive our online meetings to talk > > through this one.. > > > > I could find time during the holiday break pretty much any day; if anyone > > else is interested let us know if there's a good time to chat. > > > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant > > wrote: > > > > > Many of you have probably become aware of Log4j's vulnerability to > > > CVE-2021-44228 recently. > > > > > > Though Mahout is a sleepy project, we are vigilant and want you to know > > we > > > are aware of the issue and have been monitoring. > > > > > > First, let me assure you that since Mahout (like over 90% of log4j > users) > > > is on version 1.x it is not vulnerable to the JDNI remote execution > > attack > > > [1]. That said, 1.x was set for EOL in 2015, so it's probably time to > > > update that. I've made a JIRA ticket (MAHOUT-2140)[2]. > > > > > > The update isn't too complex, but it's also not trivial, and most > > > importantly it's not critical so you're not endangering anything > running > > > Mahout, and we'll hopefully get it in for the next release in a couple > of > > > months. > > > > > > Hope this helps everyone feel secure going into their holiday season. > > > > > > ~Trevor > > > > > > [1] http://slf4j.org/log4shell.html > > > [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140 > > > > > >
Re: Log4j, CVE-2021-44228, and Mahout
Love this idea, how about Tuesday evenings, starting the 21st ( a week from tonight ) On Mon, Dec 13, 2021 at 7:37 PM Andrew Musselman wrote: > Thanks Trevor; may be a good time to revive our online meetings to talk > through this one.. > > I could find time during the holiday break pretty much any day; if anyone > else is interested let us know if there's a good time to chat. > > On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant > wrote: > > > Many of you have probably become aware of Log4j's vulnerability to > > CVE-2021-44228 recently. > > > > Though Mahout is a sleepy project, we are vigilant and want you to know > we > > are aware of the issue and have been monitoring. > > > > First, let me assure you that since Mahout (like over 90% of log4j users) > > is on version 1.x it is not vulnerable to the JDNI remote execution > attack > > [1]. That said, 1.x was set for EOL in 2015, so it's probably time to > > update that. I've made a JIRA ticket (MAHOUT-2140)[2]. > > > > The update isn't too complex, but it's also not trivial, and most > > importantly it's not critical so you're not endangering anything running > > Mahout, and we'll hopefully get it in for the next release in a couple of > > months. > > > > Hope this helps everyone feel secure going into their holiday season. > > > > ~Trevor > > > > [1] http://slf4j.org/log4shell.html > > [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140 > > >
Re: Log4j, CVE-2021-44228, and Mahout
Thanks Trevor; may be a good time to revive our online meetings to talk through this one.. I could find time during the holiday break pretty much any day; if anyone else is interested let us know if there's a good time to chat. On Mon, Dec 13, 2021 at 4:26 PM Trevor Grant wrote: > Many of you have probably become aware of Log4j's vulnerability to > CVE-2021-44228 recently. > > Though Mahout is a sleepy project, we are vigilant and want you to know we > are aware of the issue and have been monitoring. > > First, let me assure you that since Mahout (like over 90% of log4j users) > is on version 1.x it is not vulnerable to the JDNI remote execution attack > [1]. That said, 1.x was set for EOL in 2015, so it's probably time to > update that. I've made a JIRA ticket (MAHOUT-2140)[2]. > > The update isn't too complex, but it's also not trivial, and most > importantly it's not critical so you're not endangering anything running > Mahout, and we'll hopefully get it in for the next release in a couple of > months. > > Hope this helps everyone feel secure going into their holiday season. > > ~Trevor > > [1] http://slf4j.org/log4shell.html > [2] https://issues.apache.org/jira/projects/MAHOUT/issues/MAHOUT-2140 >
