tony-- commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993190702
Thanks for the confirmation @jvz. Yes, I plan on removing SocketServer for
[CVE-2019-17571](https://nvd.nist.gov/vuln/detail/CVE-2019-17571). FWIW,
anyone using 1.2.17 mig
[
https://issues.apache.org/jira/browse/LOG4J2-3201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458921#comment-17458921
]
Lloyd Fernandes commented on LOG4J2-3201:
-
I agree it would look weird. I could
[
https://issues.apache.org/jira/browse/LOG4J2-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Sicker resolved LOG4J2-3222.
-
Fix Version/s: 2.16.0
Assignee: Matt Sicker
Resolution: Fixed
Fixed in release-2
[
https://issues.apache.org/jira/browse/LOG4J2-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458915#comment-17458915
]
ASF subversion and git services commented on LOG4J2-3222:
-
Commi
jvz commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993182759
Yes, removing the JMSAppender class would mitigate one of the main issues
there. I'd recommend removing SocketServer while you're at it as that's
affected by an older CVE.
--
Daniel Kirkdorffer created LOG4J2-3222:
--
Summary: Documentation at https://logging.apache.org/log4j/2.x/
has obsolete references to 2.15.1
Key: LOG4J2-3222
URL: https://issues.apache.org/jira/browse/LOG4J2-32
tony-- edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993170115
> > The confusion is made worse as this is a RedHat "CVE" which is not
registered with cve.org.
>
> It was just pushed to cve.org and should be visible soon. We
tony-- edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993170115
> > The confusion is made worse as this is a RedHat "CVE" which is not
registered with cve.org.
>
> It was just pushed to cve.org and should be visible soon. We
tony-- edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993170115
> > The confusion is made worse as this is a RedHat "CVE" which is not
registered with cve.org.
>
> It was just pushed to cve.org and should be visible soon. We
tony-- edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993170115
> > The confusion is made worse as this is a RedHat "CVE" which is not
registered with cve.org.
>
> It was just pushed to cve.org and should be visible soon. We
tony-- commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993170115
> > The confusion is made worse as this is a RedHat "CVE" which is not
registered with cve.org.
>
> It was just pushed to cve.org and should be visible soon. We decide
rgmz commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993167440
@tony-- there is a POC in the Snyk advisory posted by @Kirill89 somewhere
above.
--
This is an automated message from the Apache Git Service.
To respond to the message, plea
tony-- commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993166232
> > Thank you Gary, Is there a way to make sure JMS Appender is disabled?
Just to make sure that even if one of the installed Eclipse plug-ins is
configured in a risky way,
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458905#comment-17458905
]
Truman Lackey commented on LOGCXX-537:
--
I don't know the inner details of the socket
brunoborges commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993112293
> sorry for asking twice.
> Would it match to shutdown tomcat, remove the lookup class using the zip
command given in
https://github.com/apache/logging-log4j2/pull/6
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458854#comment-17458854
]
Truman Lackey edited comment on LOGCXX-537 at 12/14/21, 2:34 AM:
--
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458854#comment-17458854
]
Truman Lackey edited comment on LOGCXX-537 at 12/14/21, 2:31 AM:
--
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458854#comment-17458854
]
Truman Lackey edited comment on LOGCXX-537 at 12/14/21, 2:06 AM:
--
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458854#comment-17458854
]
Truman Lackey commented on LOGCXX-537:
--
I looked at the test issues on a mac and it
vy merged pull request #625:
URL: https://github.com/apache/logging-log4j2/pull/625
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-
vy commented on pull request #625:
URL: https://github.com/apache/logging-log4j2/pull/625#issuecomment-993074896
Thanks @rschmitt!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific co
Lucy Menon created LOG4J2-3221:
--
Summary: JNDI lookups in PatternFormatter (not message patterns)
enabled in Log4j2 < 2.16.0
Key: LOG4J2-3221
URL: https://issues.apache.org/jira/browse/LOG4J2-3221
Projec
rschmitt opened a new pull request #625:
URL: https://github.com/apache/logging-log4j2/pull/625
This change ensures that it remains safe to remove `JndiLookup.class`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use th
sellexx-stephan commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993056104
sorry for asking twice.
Would it match to shutdown tomcat, remove the lookup class using the zip
command given in
https://github.com/apache/logging-log4j2/pull/6
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458818#comment-17458818
]
Truman Lackey commented on LOGCXX-537:
--
{quote}
* Double mutex lock(fixed with r
sellexx-stephan commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993012256
Thanks, brunoborges
So how to shutdown and startup JVM? I can't find a service which looks like
this.
About automatic deployments. You are right, some
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458799#comment-17458799
]
Robert Middleton commented on LOGCXX-537:
-
So does that mean that there are multi
BUILD SUCCESS
Build URL
https://ci-builds.apache.org/job/Logging/job/log4j/job/release-2.x/436/
Project:
release-2.x
Date of build:
Mon, 13 Dec 2021 22:37:30 +
Build duration:
1 hr 0 min and counting
JUnit Tests
Name: (root) Failed: 0 test(s), Pa
brunoborges edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993000649
> Do I have to reboot the server afterwards to make it be effective?
> Or the other way round: does the effect of removing the class only exist
until reboot re
brunoborges commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993000649
> Do I have to reboot the server afterwards to make it be effective?
> Or the other way round: does the effect of removing the class only exist
until reboot resulting
sellexx-stephan commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992997550
Thanks @zhangyoufu for your great workaround!
Thanks @remkop and all others here for caring!
about the hint given by zhangyoufu: "Just zip -q -d log4j-core-
[
https://issues.apache.org/jira/browse/LOG4J2-3208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Sicker updated LOG4J2-3208:
Fix Version/s: 2.16.0
(was: 2.15.1)
> Disable JNDI by default
> ---
[
https://issues.apache.org/jira/browse/LOG4J2-3208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Sicker reopened LOG4J2-3208:
-
> Disable JNDI by default
> ---
>
> Key: LOG4J2-3208
>
[
https://issues.apache.org/jira/browse/LOG4J2-3208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Sicker closed LOG4J2-3208.
---
Resolution: Fixed
> Disable JNDI by default
> ---
>
> Key: LOG4J
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458749#comment-17458749
]
Remko Popma commented on LOG4J2-3214:
-
Update: mention the separate CVE (CVE-2021-41
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Remko Popma updated LOG4J2-3214:
Description:
I propose to update the text for the mitigation section of CVE-2021-44228 on
[https:
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Remko Popma updated LOG4J2-3214:
Description:
I propose to update the text for the mitigation section of CVE-2021-44228 on
[https:
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Remko Popma updated LOG4J2-3214:
Description:
I propose to update the text for the mitigation section of CVE-2021-44228 on
[https:
[
https://issues.apache.org/jira/browse/LOG4J2-3219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458747#comment-17458747
]
Volkan Yazici commented on LOG4J2-3219:
---
Please note that Log4j 1.x reached its en
[
https://issues.apache.org/jira/browse/LOG4J2-3213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici reassigned LOG4J2-3213:
-
Assignee: Volkan Yazici
> CVE-2021-44228 vulnerability missing CPE information in NVD
>
[
https://issues.apache.org/jira/browse/LOG4J2-3213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458744#comment-17458744
]
Volkan Yazici commented on LOG4J2-3213:
---
[~Annabel_Lee], thanks so much for the he
[
https://issues.apache.org/jira/browse/LOG4J2-3213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici resolved LOG4J2-3213.
---
Resolution: Fixed
> CVE-2021-44228 vulnerability missing CPE information in NVD
> --
jyemin commented on pull request #618:
URL: https://github.com/apache/logging-log4j2/pull/618#issuecomment-992938288
@vy I don't disagree with you, and if the decision is to remove
`log4j2.allowedLdapClasses` entirely, along with all support for JNDI lookups,
I'd be all for it. But it see
jyemin commented on a change in pull request #618:
URL: https://github.com/apache/logging-log4j2/pull/618#discussion_r768143664
##
File path:
log4j-core/src/main/java/org/apache/logging/log4j/core/net/SerializationHelper.java
##
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache
vy commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992934542
> I would also appreciate if security fixes could be back ported to 2.12.x
as this is the last version that supports Java 7. We're still supporting Java 7
in the Elastic APM Jav
[
https://issues.apache.org/jira/browse/LOG4J2-3220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458728#comment-17458728
]
Volkan Yazici commented on LOG4J2-3220:
---
See [CVE-2021-4104|https://access.redhat.
caio-picpay commented on a change in pull request #618:
URL: https://github.com/apache/logging-log4j2/pull/618#discussion_r768132721
##
File path:
log4j-core/src/main/java/org/apache/logging/log4j/core/net/SerializationHelper.java
##
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Ap
[
https://issues.apache.org/jira/browse/LOG4J2-3220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici closed LOG4J2-3220.
-
Resolution: Fixed
> CVE-2021-44228
> --
>
> Key: LOG4J2-3220
>
[
https://issues.apache.org/jira/browse/LOG4J2-3220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458726#comment-17458726
]
Volkan Yazici commented on LOG4J2-3220:
---
Log4j 1.x is not affected by CVE-2021-442
[
https://issues.apache.org/jira/browse/LOG4J2-3217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458724#comment-17458724
]
Volkan Yazici commented on LOG4J2-3217:
---
[~EtienneMiret], in these occasions, a te
bynt commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992913606
> PR:N is for the original CVE. PR:H would be for modifying the config file,
though we didn't publish separate CVEs for the different ways to exploit the
same underlying issue
jvz commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992902058
PR:N is for the original CVE. PR:H would be for modifying the config file,
though we didn't publish separate CVEs for the different ways to exploit the
same underlying issue.
remkop commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992900063
@tony-- Yes I believe that removing the JMSAppender class from the Log4j 1.x
jar will mitigate this vulnerability.
--
This is an automated message from the Apache Git Ser
tony-- edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992886229
@Kirill89 @ceki @remkop @TopStreamsNet please confirm/comment.
Does removing JMSAppender completely mitigate what Snyk is describing as
[SNYK-JAVA-LOG4J-2316893](ht
tony-- edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992886229
@Kirill89 @ceki @remkop please confirm/comment.
Does removing JMSAppender completely mitigate what Snyk is describing as
[SNYK-JAVA-LOG4J-2316893](https://security.
tony-- edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992886229
@Kirill89 @ceki @remkop please confirm/comment.
Does removing JMSAppender completely mitigate what Snyk is describing as
[SNYK-JAVA-LOG4J-2316893](https://security.
bynt edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992895039
> > The confusion is made worse as this is a RedHat "CVE" which is not
registered with cve.org.
>
> It was just pushed to cve.org and should be visible soon. We d
bynt commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992895039
> > The confusion is made worse as this is a RedHat "CVE" which is not
registered with cve.org.
>
> It was just pushed to cve.org and should be visible soon. We decided
[
https://issues.apache.org/jira/browse/LOG4J2-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458704#comment-17458704
]
Volkan Yazici commented on LOG4J2-3216:
---
# You are strongly advised to migrate to
[
https://issues.apache.org/jira/browse/LOG4J2-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici reassigned LOG4J2-3216:
-
Assignee: Volkan Yazici
> CVE-2021-44228 applicability to Json Layout log messages
> --
[
https://issues.apache.org/jira/browse/LOG4J2-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici closed LOG4J2-3216.
-
Resolution: Fixed
> CVE-2021-44228 applicability to Json Layout log messages
> -
tony-- commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992886229
@Kirill89 @ceki please confirm.
Does removing JMSAppender completely mitigate what Snyk is describing as
[SNYK-JAVA-LOG4J-2316893](https://security.snyk.io/vuln/SNYK-JAVA-
[
https://issues.apache.org/jira/browse/LOG4J2-3215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458702#comment-17458702
]
quapka commented on LOG4J2-3215:
[~vy] I can imagine, good luck with that!
> Gradle ins
[
https://issues.apache.org/jira/browse/LOG4J2-3215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458698#comment-17458698
]
Volkan Yazici commented on LOG4J2-3215:
---
[~quapka], thanks! Will take care of it.
[
https://issues.apache.org/jira/browse/LOG4J2-3215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici reassigned LOG4J2-3215:
-
Assignee: Volkan Yazici
> Gradle instructions for adding log4j as a dependency are outd
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458696#comment-17458696
]
Volkan Yazici commented on LOG4J2-3214:
---
I am back, again! The way it is now looks
Kirill89 commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992763568
@TopStreamsNet thank you for the detailed answer about 1.x versions. At Snyk
we checked it as well and agree with your conclusions. 1.x is not vulnerable
unless malicious
[
https://issues.apache.org/jira/browse/LOG4J2-3219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arun Naik closed LOG4J2-3219.
-
Resolution: Fixed
Got the answer.
Thanks.
> CVE-2021-44228 on log4j version 1.2.17
> -
[
https://issues.apache.org/jira/browse/LOG4J2-3219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458600#comment-17458600
]
Arun Naik commented on LOG4J2-3219:
---
Thanks a lot for the quick response.
That helps.
ceki edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992730958
Regarding `JMSAppender `vulnerability, it has to be placed in the log4j.xml
configuration file with a corrupt parameter. If the log4j.xml configuration
file is write pr
ceki edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992730958
Regarding JMSAppender vulnerability, it has to be placed in the log4j.xml
configuration file with a corrupt parameter. If the log4j.xml configuration
file is write prot
ceki edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992730958
Regarding JMSAppender vulnerability, it has to be placed in the log4j 1.x
and given a corrupt parameter in log4j.xml configuration file. If the log4j.xml
configuration
ceki edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992730958
Regarding JMSAppender vulnerability, it has to be placed in the log4j 1.x
and given a corrupt parameter in log4j.xml configuration file. If the log4j.xml
configuration
ceki commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992730958
Regarding JMSAppender vulnerability, it has to be placed in the log4j 1.x
and given a corrupt parameter in log4j.xml configuration file. If the log4j.xml
configuration file is
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992726081
> Thank you Gary, Is there a way to make sure JMS Appender is disabled? Just
to make sure that even if one of the installed Eclipse plug-ins is configured
in a risky w
bowb commented on pull request #78:
URL: https://github.com/apache/logging-log4cxx/pull/78#issuecomment-992725037
see https://github.com/apache/logging-log4cxx/pull/82
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use t
bowb closed pull request #78:
URL: https://github.com/apache/logging-log4cxx/pull/78
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications
drorbrillsnps edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992718306
Thank you Gary,
Is there a way to make sure JMS Appender is disabled?
Just to make sure that even if one of the installed Eclipse plug-ins is
configured
drorbrillsnps commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992718306
Thank you Gary,
Is there a way to make sure JMS Appender is disabled?
Just to make sure that a user is not able to create configurations that are
risky.
--
T
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992713094
You are fine unless you are using a specially crafted configuration for a
JMS Appender.
Gary
On Mon, Dec 13, 2021 at 12:22 PM drorbrillsnps ***@***.***>
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458565#comment-17458565
]
Truman Lackey edited comment on LOGCXX-537 at 12/13/21, 5:37 PM:
--
[
https://issues.apache.org/jira/browse/LOG4J2-3218?focusedWorklogId=695229&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-695229
]
ASF GitHub Bot logged work on LOG4J2-3218:
--
Author: ASF GitHub Bot
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458565#comment-17458565
]
Truman Lackey commented on LOGCXX-537:
--
I just noticed there are a couple of return
jvz commented on pull request #21:
URL:
https://github.com/apache/logging-log4j-kotlin/pull/21#issuecomment-992707197
Yeah, we can start a release later today.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL
drorbrillsnps commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992699787
All Eclipse releases from the past years are using log4j 1.2.15
What is the recommendation for Eclipse users?
Is there a workaround to ensure Eclipse users are no
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458533#comment-17458533
]
Truman Lackey edited comment on LOGCXX-537 at 12/13/21, 5:09 PM:
--
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458533#comment-17458533
]
Truman Lackey edited comment on LOGCXX-537 at 12/13/21, 5:06 PM:
--
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458533#comment-17458533
]
Truman Lackey edited comment on LOGCXX-537 at 12/13/21, 5:06 PM:
--
felixbarny commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992683138
> @remkop Hi! Thanks for your work and the community correspondence.
> Do you have any plans to backport the correspondence to this vulnerability
to older versions of
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458533#comment-17458533
]
Truman Lackey edited comment on LOGCXX-537 at 12/13/21, 5:02 PM:
--
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458533#comment-17458533
]
Truman Lackey edited comment on LOGCXX-537 at 12/13/21, 4:59 PM:
--
coldtobi commented on a change in pull request #83:
URL: https://github.com/apache/logging-log4cxx/pull/83#discussion_r767947596
##
File path: src/test/cpp/util/transformer.cpp
##
@@ -116,14 +116,25 @@ void Transformer::createSedCommandFile(const std::string&
regexName,
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458533#comment-17458533
]
Truman Lackey commented on LOGCXX-537:
--
[~rmiddleton] Couple of other things I notic
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458520#comment-17458520
]
Mark J. Cox commented on LOG4J2-3214:
-
Gary, although the CVE was initially allocate
iamamoose commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992651914
> The confusion is made worse as this is a RedHat "CVE" which is not
registered with cve.org.
It was just pushed to cve.org and should be visible soon. We decided
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458513#comment-17458513
]
Gary D. Gregory commented on LOG4J2-3214:
-
The confusion is made worse as CVE-20
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992643509
The confusion is made worse as this is a RedHat "CVE" which is not
registered with cve.org.
--
This is an automated message from the Apache Git Service.
To respond t
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458508#comment-17458508
]
Mark J. Cox edited comment on LOG4J2-3214 at 12/13/21, 4:14 PM:
--
[
https://issues.apache.org/jira/browse/LOG4J2-3214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458508#comment-17458508
]
Mark J. Cox commented on LOG4J2-3214:
-
Note CVE-2021-4104 is for log4j 1.x now; plea
iamamoose commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992634349
Log4j 1.2 has it's own CVE now CVE-2021-4104 to save confusion:
https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx
--
This is an automated message from th
1 - 100 of 202 matches
Mail list logo
