You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@logging.apache.org by Gary Gregory <ga...@gmail.com> on 2020/12/03 15:09:19 UTC
[log4j] Release log4j-tools
Hi All:
We've never released from
https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm
currently using a SNAPSHOT build. Any thoughts on releasing from there?
Gary
Re: [log4j] Release log4j-tools
Posted by Gary Gregory <ga...@gmail.com>.
I am looking at the release-2.x branch. I will set it to 1.0.0-SNAPSHOT
soon (AFK)
Gary
On Thu, Dec 10, 2020, 16:51 Ralph Goers <ra...@dslextreme.com> wrote:
> Its version is currently 3.0.0-SNAPSHOT but I don’t know why. I think it
> should be set to 1.0.0. We aren’t going to do a release of log4j-tools
> very often. Certainly not as frequently as log4j itself. It hardly ever
> changes. It needs an independent versioning scheme.
>
> Ralph
>
> > On Dec 10, 2020, at 1:50 PM, Gary Gregory <ga...@gmail.com>
> wrote:
> >
> > I think the log4j-tools version should be set to 2.14.0 for a RC to match
> > the release of log4j. Thoughts?
> >
> > Gary
> >
> > On Thu, Dec 10, 2020, 15:45 Ralph Goers <ra...@dslextreme.com>
> wrote:
> >
> >> OK. Then I guess I forgot since it has been so long.
> >>
> >> Ralph
> >>
> >>> On Dec 10, 2020, at 1:09 PM, Gary Gregory <ga...@gmail.com>
> >> wrote:
> >>>
> >>> But there *is* an allowed list of Java classes and packages configured
> >>> in org.apache.logging.log4j.util.FilteredObjectInputStream which the
> >>> log4j-server module's servers uses through
> >> ObjectInputStreamLogEventBridge.
> >>>
> >>> Gary
> >>>
> >>> On Thu, Dec 3, 2020 at 10:33 AM Ralph Goers <
> ralph.goers@dslextreme.com>
> >>> wrote:
> >>>
> >>>> There is a Jira issue to do that but as far as I know the Security bug
> >> was
> >>>> never addressed in that code. In a quick glance at it I still see it
> >>>> supporting Java serialized objects without any kind of whitelisting. I
> >>>> don’t see anything in that repo besides the log server and I wouldn’t
> >> want
> >>>> to release something with known security problems.
> >>>>
> >>>> Ralph
> >>>>
> >>>>> On Dec 3, 2020, at 8:09 AM, Gary Gregory <ga...@gmail.com>
> >> wrote:
> >>>>>
> >>>>> Hi All:
> >>>>>
> >>>>> We've never released from
> >>>>> https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and
> I'm
> >>>>> currently using a SNAPSHOT build. Any thoughts on releasing from
> there?
> >>>>>
> >>>>> Gary
> >>>>
> >>>>
> >>>>
> >>
> >>
> >>
>
>
>
Re: [log4j] Release log4j-tools
Posted by Ralph Goers <ra...@dslextreme.com>.
Its version is currently 3.0.0-SNAPSHOT but I don’t know why. I think it should be set to 1.0.0. We aren’t going to do a release of log4j-tools very often. Certainly not as frequently as log4j itself. It hardly ever changes. It needs an independent versioning scheme.
Ralph
> On Dec 10, 2020, at 1:50 PM, Gary Gregory <ga...@gmail.com> wrote:
>
> I think the log4j-tools version should be set to 2.14.0 for a RC to match
> the release of log4j. Thoughts?
>
> Gary
>
> On Thu, Dec 10, 2020, 15:45 Ralph Goers <ra...@dslextreme.com> wrote:
>
>> OK. Then I guess I forgot since it has been so long.
>>
>> Ralph
>>
>>> On Dec 10, 2020, at 1:09 PM, Gary Gregory <ga...@gmail.com>
>> wrote:
>>>
>>> But there *is* an allowed list of Java classes and packages configured
>>> in org.apache.logging.log4j.util.FilteredObjectInputStream which the
>>> log4j-server module's servers uses through
>> ObjectInputStreamLogEventBridge.
>>>
>>> Gary
>>>
>>> On Thu, Dec 3, 2020 at 10:33 AM Ralph Goers <ra...@dslextreme.com>
>>> wrote:
>>>
>>>> There is a Jira issue to do that but as far as I know the Security bug
>> was
>>>> never addressed in that code. In a quick glance at it I still see it
>>>> supporting Java serialized objects without any kind of whitelisting. I
>>>> don’t see anything in that repo besides the log server and I wouldn’t
>> want
>>>> to release something with known security problems.
>>>>
>>>> Ralph
>>>>
>>>>> On Dec 3, 2020, at 8:09 AM, Gary Gregory <ga...@gmail.com>
>> wrote:
>>>>>
>>>>> Hi All:
>>>>>
>>>>> We've never released from
>>>>> https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm
>>>>> currently using a SNAPSHOT build. Any thoughts on releasing from there?
>>>>>
>>>>> Gary
>>>>
>>>>
>>>>
>>
>>
>>
Re: [log4j] Release log4j-tools
Posted by Gary Gregory <ga...@gmail.com>.
I think the log4j-tools version should be set to 2.14.0 for a RC to match
the release of log4j. Thoughts?
Gary
On Thu, Dec 10, 2020, 15:45 Ralph Goers <ra...@dslextreme.com> wrote:
> OK. Then I guess I forgot since it has been so long.
>
> Ralph
>
> > On Dec 10, 2020, at 1:09 PM, Gary Gregory <ga...@gmail.com>
> wrote:
> >
> > But there *is* an allowed list of Java classes and packages configured
> > in org.apache.logging.log4j.util.FilteredObjectInputStream which the
> > log4j-server module's servers uses through
> ObjectInputStreamLogEventBridge.
> >
> > Gary
> >
> > On Thu, Dec 3, 2020 at 10:33 AM Ralph Goers <ra...@dslextreme.com>
> > wrote:
> >
> >> There is a Jira issue to do that but as far as I know the Security bug
> was
> >> never addressed in that code. In a quick glance at it I still see it
> >> supporting Java serialized objects without any kind of whitelisting. I
> >> don’t see anything in that repo besides the log server and I wouldn’t
> want
> >> to release something with known security problems.
> >>
> >> Ralph
> >>
> >>> On Dec 3, 2020, at 8:09 AM, Gary Gregory <ga...@gmail.com>
> wrote:
> >>>
> >>> Hi All:
> >>>
> >>> We've never released from
> >>> https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm
> >>> currently using a SNAPSHOT build. Any thoughts on releasing from there?
> >>>
> >>> Gary
> >>
> >>
> >>
>
>
>
Re: [log4j] Release log4j-tools
Posted by Ralph Goers <ra...@dslextreme.com>.
OK. Then I guess I forgot since it has been so long.
Ralph
> On Dec 10, 2020, at 1:09 PM, Gary Gregory <ga...@gmail.com> wrote:
>
> But there *is* an allowed list of Java classes and packages configured
> in org.apache.logging.log4j.util.FilteredObjectInputStream which the
> log4j-server module's servers uses through ObjectInputStreamLogEventBridge.
>
> Gary
>
> On Thu, Dec 3, 2020 at 10:33 AM Ralph Goers <ra...@dslextreme.com>
> wrote:
>
>> There is a Jira issue to do that but as far as I know the Security bug was
>> never addressed in that code. In a quick glance at it I still see it
>> supporting Java serialized objects without any kind of whitelisting. I
>> don’t see anything in that repo besides the log server and I wouldn’t want
>> to release something with known security problems.
>>
>> Ralph
>>
>>> On Dec 3, 2020, at 8:09 AM, Gary Gregory <ga...@gmail.com> wrote:
>>>
>>> Hi All:
>>>
>>> We've never released from
>>> https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm
>>> currently using a SNAPSHOT build. Any thoughts on releasing from there?
>>>
>>> Gary
>>
>>
>>
Re: [log4j] Release log4j-tools
Posted by Gary Gregory <ga...@gmail.com>.
But there *is* an allowed list of Java classes and packages configured
in org.apache.logging.log4j.util.FilteredObjectInputStream which the
log4j-server module's servers uses through ObjectInputStreamLogEventBridge.
Gary
On Thu, Dec 3, 2020 at 10:33 AM Ralph Goers <ra...@dslextreme.com>
wrote:
> There is a Jira issue to do that but as far as I know the Security bug was
> never addressed in that code. In a quick glance at it I still see it
> supporting Java serialized objects without any kind of whitelisting. I
> don’t see anything in that repo besides the log server and I wouldn’t want
> to release something with known security problems.
>
> Ralph
>
> > On Dec 3, 2020, at 8:09 AM, Gary Gregory <ga...@gmail.com> wrote:
> >
> > Hi All:
> >
> > We've never released from
> > https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm
> > currently using a SNAPSHOT build. Any thoughts on releasing from there?
> >
> > Gary
>
>
>
Re: [log4j] Release log4j-tools
Posted by Ralph Goers <ra...@dslextreme.com>.
There is a Jira issue to do that but as far as I know the Security bug was never addressed in that code. In a quick glance at it I still see it supporting Java serialized objects without any kind of whitelisting. I don’t see anything in that repo besides the log server and I wouldn’t want to release something with known security problems.
Ralph
> On Dec 3, 2020, at 8:09 AM, Gary Gregory <ga...@gmail.com> wrote:
>
> Hi All:
>
> We've never released from
> https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm
> currently using a SNAPSHOT build. Any thoughts on releasing from there?
>
> Gary