Hi Lin Lin - We really need to complete this release and announce it ASAP.
Regards, Dave > On Dec 30, 2021, at 5:58 AM, Enrico Olivelli <eolive...@gmail.com> wrote: > > What's the status of this VOTE? > > Enrico > > Il Mer 22 Dic 2021, 10:34 Nicolò Boschi <boschi1...@gmail.com> ha scritto: > >> +1 (non binding) >> >> Checks: >> - Checksum and signatures >> - Apache Rat check passes >> - Compile from source w JDK8 >> - Build docker image from source >> - Run Pulsar standalone and produce-consume from CLI >> - Verified Log4J inside lib/ >> >> -rw-r--r-- 1 root root 208235 Jan 22 2020 >> org.apache.logging.log4j-log4j-1.2-api-2.17.0.jar >> >> -rw-r--r-- 1 root root 301776 Jan 22 2020 >> org.apache.logging.log4j-log4j-api-2.17.0.jar >> >> -rw-r--r-- 1 root root 1789339 Jan 22 2020 >> org.apache.logging.log4j-log4j-core-2.17.0.jar >> >> -rw-r--r-- 1 root root 24252 Jan 22 2020 >> org.apache.logging.log4j-log4j-slf4j-impl-2.17.0.jar >> >> -rw-r--r-- 1 root root 35920 Jan 22 2020 >> org.apache.logging.log4j-log4j-web-2.17.0.jar >> >> Il giorno mer 22 dic 2021 alle ore 06:37 Lin Lin <lin...@apache.org> ha >> scritto: >> >>> >>> >>> On 2021/12/21 10:48:41 Shivji Kumar Jha wrote: >>>> Hi LinLin, >>>> >>>> Log4j version 2.16.0 has DDoS possibilities in some cases [1] . Can we >>> move >>>> to Log4j 2.17.0 in 2.8.2? >>>> >>>> Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did >>> not >>>>> protect from uncontrolled recursion from self-referential lookups. >> This >>>>> allows an attacker with control over Thread Context Map data to >> cause a >>>>> denial of service when a crafted string is interpreted. This issue >> was >>>>> fixed in Log4j 2.17.0 and 2.12.3. >>> >>> >>> Already included >>> >> >> >> -- >> Nicolò Boschi >>
