You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/12/22 06:05:39 UTC
[GitHub] [pulsar] lhotari opened a new pull request #13446: Improve clarity of the Log4Shell CVE blog post
lhotari opened a new pull request #13446:
URL: https://github.com/apache/pulsar/pull/13446
### Motivation
- There was feedback from Senior Security Engineer [Gabriel Marquet](https://twitter.com/gbysec) that the message about Pulsar being impacted isn't clearly communicated [in the Log4Shell CVE blog post](https://pulsar.apache.org/blog/2021/12/11/Log4j-CVE/). He proposed making the change in this PR.
- It also seems that the users@pulsar.apache.org mailing list wasn't notified about the blog post. Perhaps a second round of communications would need to go out to reach more members in the Apache Pulsar community.
### Modifications
- add a sentence that clarifies that Pulsar is also impacted
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] dave2wave commented on a change in pull request #13446: Improve clarity of the Log4Shell CVE blog post
Posted by GitBox <gi...@apache.org>.
dave2wave commented on a change in pull request #13446:
URL: https://github.com/apache/pulsar/pull/13446#discussion_r773638618
##########
File path: site2/website/blog/2021-12-11-Log4j-CVE.md
##########
@@ -8,9 +8,10 @@ allow remote execution for attackers.
The vulnerability issue is described and tracked under [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228).
-Current releases of Apache Pulsar are bundling Log4j2 versions that are
-affected by this vulnerability. We strongly recommend to follow the advisory of the
-Apache Log4j community and patch your systems as soon as possible.
+Current releases of Apache Pulsar are bundling Log4j2 versions that are affected by this vulnerability.
+Default configuration, combined with JVM version and other factors, can render it exploitable.
+We strongly recommend to follow the advisory of the Apache Log4j community and patch your systems
Review comment:
To be precise Log4i is a product of Apache Logging.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] eolivelli merged pull request #13446: Improve clarity of the Log4Shell CVE blog post
Posted by GitBox <gi...@apache.org>.
eolivelli merged pull request #13446:
URL: https://github.com/apache/pulsar/pull/13446
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org