Hello, regarding https://github.com/apache/druid/pull/12051 which merged to
master,
Is it a common practice for the project to backport and release a new minor
for the latest version?
Hi Eyal,
Yes. As this vulnerability seems critical, we are working on the 0.22.1.
release.
On Fri, Dec 10, 2021 at 10:14 AM Eyal Yurman
wrote:
> Hello, regarding https://github.com/apache/druid/pull/12051 which merged
> to
> master,
>
> Is it a common practice for the project to backport and re
Since it is “critical” severity, I think it would be a good idea to
seriously consider pushing out a minor version of 0.22.x. Especially since
the mitigation strategy outlined in the CVE is not available in the log4j
version that exists today in the current stable release. There is past
precedent f
We're working on this right now and will be getting a vote / release for
0.22.1 out asap.
Btw, the log4j announcement mentions a mitigation that does work for our
current version (2.8.2). It's part (b) here, specifying "%m{nolookups}" in
the PatternLayout configuration:
https://lists.apache.org/th
I will note that the `%m{nolookups}` workaround feels a lot more
challenging to feel comfortable using than the `-D`/env var
workarounds that work in the newer versions. For example, our
log4j2.xml file has two Appenders, one of which uses JsonLayout and
one of which uses PatternLayout. It's hard t
Hi David,
Right now we are very much dedicating our efforts to getting a 0.22.1 patch
release out. It's taking longer than we'd hoped due to an unexpected issue
with the upgrade to log4j 2.15.0: https://github.com/apache/druid/pull/12056
.
Based on the testing we've done so far, though, I think t
Thank you for the fast response.
On Fri, Dec 10, 2021 at 11:35 AM Gian Merlino wrote:
> We're working on this right now and will be getting a vote / release for
> 0.22.1 out asap.
>
> Btw, the log4j announcement mentions a mitigation that does work for our
> current version (2.8.2). It's part (b
I started a release vote an hour ago. If you want to use the patched
version soon, please help with reviewing the release :)
On Fri, Dec 10, 2021 at 12:22 PM Eyal Yurman
wrote:
> Thank you for the fast response.
>
> On Fri, Dec 10, 2021 at 11:35 AM Gian Merlino wrote:
>
> > We're working on thi
