Since it is “critical” severity, I think it would be a good idea to seriously consider pushing out a minor version of 0.22.x. Especially since the mitigation strategy outlined in the CVE is not available in the log4j version that exists today in the current stable release. There is past precedent for such releases: see 0.20.2
On Fri, Dec 10, 2021 at 12:14 PM Eyal Yurman <eyurma...@yahooinc.com.invalid> wrote: > Hello, regarding https://github.com/apache/druid/pull/12051 which merged > to > master, > > Is it a common practice for the project to backport and release a new minor > for the latest version? >
