What's the status of this VOTE? Enrico
Il Mer 22 Dic 2021, 10:34 Nicolò Boschi <boschi1...@gmail.com> ha scritto: > +1 (non binding) > > Checks: > - Checksum and signatures > - Apache Rat check passes > - Compile from source w JDK8 > - Build docker image from source > - Run Pulsar standalone and produce-consume from CLI > - Verified Log4J inside lib/ > > -rw-r--r-- 1 root root 208235 Jan 22 2020 > org.apache.logging.log4j-log4j-1.2-api-2.17.0.jar > > -rw-r--r-- 1 root root 301776 Jan 22 2020 > org.apache.logging.log4j-log4j-api-2.17.0.jar > > -rw-r--r-- 1 root root 1789339 Jan 22 2020 > org.apache.logging.log4j-log4j-core-2.17.0.jar > > -rw-r--r-- 1 root root 24252 Jan 22 2020 > org.apache.logging.log4j-log4j-slf4j-impl-2.17.0.jar > > -rw-r--r-- 1 root root 35920 Jan 22 2020 > org.apache.logging.log4j-log4j-web-2.17.0.jar > > Il giorno mer 22 dic 2021 alle ore 06:37 Lin Lin <lin...@apache.org> ha > scritto: > > > > > > > On 2021/12/21 10:48:41 Shivji Kumar Jha wrote: > > > Hi LinLin, > > > > > > Log4j version 2.16.0 has DDoS possibilities in some cases [1] . Can we > > move > > > to Log4j 2.17.0 in 2.8.2? > > > > > > Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did > > not > > > > protect from uncontrolled recursion from self-referential lookups. > This > > > > allows an attacker with control over Thread Context Map data to > cause a > > > > denial of service when a crafted string is interpreted. This issue > was > > > > fixed in Log4j 2.17.0 and 2.12.3. > > > > > > Already included > > > > > -- > Nicolò Boschi >
