Here are the JIRAs I grabbed from the 1.16/main line to pull into
1.15.1 in addition.
https://issues.apache.org/jira/browse/NIFI-9480?jql=project%20%3D%20NIFI%20AND%20fixVersion%20%3D%201.15.1
Thanks
On Mon, Dec 13, 2021 at 10:08 PM Joe Witt wrote:
>
> Goodness. Two RC build release processes
Goodness. Two RC build release processes have failed a couple hours
into it due to apparent network/availability issues while sending
artifacts to repository.apache.org. I can only assume they're getting
hit with a lot of projects trying to do a lot of uploads and such.
Will try again in a
Thanks - will roll with that
On Mon, Dec 13, 2021 at 10:03 AM David Handermann
wrote:
>
> PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
> version updates to Log4j 2 dependencies. It also excludes log4j-core older
> than 2.15.0 from build artifacts, so this should
PR 5598 for NIFI-9474 is now merged into the main branch, which streamlines
version updates to Log4j 2 dependencies. It also excludes log4j-core older
than 2.15.0 from build artifacts, so this should provide a good basis for a
patch release.
https://github.com/apache/nifi/pull/5598
Regards,
I'd agree. The discussions in Slack and separate user mailing list thread
are a reassurance for users (who read them), but a patch for the current
1.15 branch would seem sensible for people to pick up and assuage any
remaining security concerns they may have around the library.
That leaves 1.16 a
Joe,
Thanks for starting this discussion. Moving forward with a 1.15.1 patch
release sounds like the best path forward.
Regards,
David Handermann
On Mon, Dec 13, 2021 at 7:49 AM Joe Witt wrote:
> Team
>
> We still dont think we are vulnerable but this now highly risky library is
> present.
Thanks Marton. Sorry about that Adam!
On Mon, Dec 13, 2021 at 8:40 AM Marton Szasz wrote:
> For the record, there were actually 5 +1 (binding) votes and 5 +1
> (non-binding) votes.
>
> I'm assuming the miscategorized vote was from Marc, who didn't specify
> the kind of vote in the email, but he
Team
We still dont think we are vulnerable but this now highly risky library is
present. We have PRs to eliminate it/main is fixed. I think we should do
a 24 hour 1.15.1 release/vote for it. It will eliminate concerns for
users. We are frankly pretty close to a 1.16 release at this point
For the record, there were actually 5 +1 (binding) votes and 5 +1
(non-binding) votes.
I'm assuming the miscategorized vote was from Marc, who didn't specify
the kind of vote in the email, but he is a member of the PMC [1], so
his vote counts as binding. [2]
Thanks,
Marton
[1]