+1 (non binding)

Checks:
- Checksum and signatures
- Apache Rat check passes
- Compile from source w JDK8
- Build docker image from source
- Run Pulsar standalone and produce-consume from CLI
- Verified Log4J inside lib/

-rw-r--r-- 1 root root   208235 Jan 22  2020
org.apache.logging.log4j-log4j-1.2-api-2.17.0.jar

-rw-r--r-- 1 root root   301776 Jan 22  2020
org.apache.logging.log4j-log4j-api-2.17.0.jar

-rw-r--r-- 1 root root  1789339 Jan 22  2020
org.apache.logging.log4j-log4j-core-2.17.0.jar

-rw-r--r-- 1 root root    24252 Jan 22  2020
org.apache.logging.log4j-log4j-slf4j-impl-2.17.0.jar

-rw-r--r-- 1 root root    35920 Jan 22  2020
org.apache.logging.log4j-log4j-web-2.17.0.jar

Il giorno mer 22 dic 2021 alle ore 06:37 Lin Lin <lin...@apache.org> ha
scritto:

>
>
> On 2021/12/21 10:48:41 Shivji Kumar Jha wrote:
> > Hi LinLin,
> >
> > Log4j version 2.16.0 has DDoS possibilities in some cases [1] . Can we
> move
> > to Log4j 2.17.0 in 2.8.2?
> >
> > Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did
> not
> > > protect from uncontrolled recursion from self-referential lookups. This
> > > allows an attacker with control over Thread Context Map data to cause a
> > > denial of service when a crafted string is interpreted. This issue was
> > > fixed in Log4j 2.17.0 and 2.12.3.
>
>
> Already included
>


-- 
Nicolò Boschi

Reply via email to