+1 (non binding) Checks: - Checksum and signatures - Apache Rat check passes - Compile from source w JDK8 - Build docker image from source - Run Pulsar standalone and produce-consume from CLI - Verified Log4J inside lib/
-rw-r--r-- 1 root root 208235 Jan 22 2020 org.apache.logging.log4j-log4j-1.2-api-2.17.0.jar -rw-r--r-- 1 root root 301776 Jan 22 2020 org.apache.logging.log4j-log4j-api-2.17.0.jar -rw-r--r-- 1 root root 1789339 Jan 22 2020 org.apache.logging.log4j-log4j-core-2.17.0.jar -rw-r--r-- 1 root root 24252 Jan 22 2020 org.apache.logging.log4j-log4j-slf4j-impl-2.17.0.jar -rw-r--r-- 1 root root 35920 Jan 22 2020 org.apache.logging.log4j-log4j-web-2.17.0.jar Il giorno mer 22 dic 2021 alle ore 06:37 Lin Lin <lin...@apache.org> ha scritto: > > > On 2021/12/21 10:48:41 Shivji Kumar Jha wrote: > > Hi LinLin, > > > > Log4j version 2.16.0 has DDoS possibilities in some cases [1] . Can we > move > > to Log4j 2.17.0 in 2.8.2? > > > > Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did > not > > > protect from uncontrolled recursion from self-referential lookups. This > > > allows an attacker with control over Thread Context Map data to cause a > > > denial of service when a crafted string is interpreted. This issue was > > > fixed in Log4j 2.17.0 and 2.12.3. > > > Already included > -- Nicolò Boschi