You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@knox.apache.org by Sandor Molnar <sm...@cloudera.com> on 2022/01/13 10:46:33 UTC

[DISCUSS] - Upgrading Log4j to 2.17.1 on Knox 1.6 line

Hi folks,

with our recent v1.6.1 release (an announcement is about to be sent out) we
are on 2.16.0 to mitigate the infamous  CVE-2021-44228
<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> security vulnerability.
However, there were subsequent security issues found and those
problems were addressed in later versions. For more information please read
Log4J's security vulnerability page:
https://logging.apache.org/log4j/2.x/security.html

I'm proposing to kick off a new 1.6.2 release that includes the fix for
https://issues.apache.org/jira/browse/KNOX-2702.

Any objection?

Cheers,
Sandor

Re: [DISCUSS] - Upgrading Log4j to 2.17.1 on Knox 1.6 line

Posted by larry mccay <lm...@apache.org>.

s/dependent/vulnerable/


On Thu, Jan 13, 2022 at 10:34 AM larry mccay <lm...@apache.org> wrote:

> We are not vulnerable to those issues as they are in log4j-core and we
> don't use that in the 1.x line.
> Why would we need to upgrade libs that are not dependent?
>
> On Thu, Jan 13, 2022 at 6:47 AM Sandeep Moré <mo...@gmail.com>
> wrote:
>
>> Awesome! that sounds great Sandor, thanks!
>>
>> On Thu, Jan 13, 2022 at 5:46 AM Sandor Molnar
>> <sm...@cloudera.com.invalid> wrote:
>>
>>> Hi folks,
>>>
>>> with our recent v1.6.1 release (an announcement is about to be sent out)
>>> we
>>> are on 2.16.0 to mitigate the infamous  CVE-2021-44228
>>> <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> security
>>> vulnerability.
>>> However, there were subsequent security issues found and those
>>> problems were addressed in later versions. For more information please
>>> read
>>> Log4J's security vulnerability page:
>>> https://logging.apache.org/log4j/2.x/security.html
>>>
>>> I'm proposing to kick off a new 1.6.2 release that includes the fix for
>>> https://issues.apache.org/jira/browse/KNOX-2702.
>>>
>>> Any objection?
>>>
>>> Cheers,
>>> Sandor
>>>
>>

Re: [DISCUSS] - Upgrading Log4j to 2.17.1 on Knox 1.6 line

Posted by larry mccay <lm...@apache.org>.

s/dependent/vulnerable/


On Thu, Jan 13, 2022 at 10:34 AM larry mccay <lm...@apache.org> wrote:

> We are not vulnerable to those issues as they are in log4j-core and we
> don't use that in the 1.x line.
> Why would we need to upgrade libs that are not dependent?
>
> On Thu, Jan 13, 2022 at 6:47 AM Sandeep Moré <mo...@gmail.com>
> wrote:
>
>> Awesome! that sounds great Sandor, thanks!
>>
>> On Thu, Jan 13, 2022 at 5:46 AM Sandor Molnar
>> <sm...@cloudera.com.invalid> wrote:
>>
>>> Hi folks,
>>>
>>> with our recent v1.6.1 release (an announcement is about to be sent out)
>>> we
>>> are on 2.16.0 to mitigate the infamous  CVE-2021-44228
>>> <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> security
>>> vulnerability.
>>> However, there were subsequent security issues found and those
>>> problems were addressed in later versions. For more information please
>>> read
>>> Log4J's security vulnerability page:
>>> https://logging.apache.org/log4j/2.x/security.html
>>>
>>> I'm proposing to kick off a new 1.6.2 release that includes the fix for
>>> https://issues.apache.org/jira/browse/KNOX-2702.
>>>
>>> Any objection?
>>>
>>> Cheers,
>>> Sandor
>>>
>>

Re: [DISCUSS] - Upgrading Log4j to 2.17.1 on Knox 1.6 line

Posted by larry mccay <lm...@apache.org>.

We are not vulnerable to those issues as they are in log4j-core and we
don't use that in the 1.x line.
Why would we need to upgrade libs that are not dependent?

On Thu, Jan 13, 2022 at 6:47 AM Sandeep Moré <mo...@gmail.com> wrote:

> Awesome! that sounds great Sandor, thanks!
>
> On Thu, Jan 13, 2022 at 5:46 AM Sandor Molnar <sm...@cloudera.com.invalid>
> wrote:
>
>> Hi folks,
>>
>> with our recent v1.6.1 release (an announcement is about to be sent out)
>> we
>> are on 2.16.0 to mitigate the infamous  CVE-2021-44228
>> <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> security vulnerability.
>> However, there were subsequent security issues found and those
>> problems were addressed in later versions. For more information please
>> read
>> Log4J's security vulnerability page:
>> https://logging.apache.org/log4j/2.x/security.html
>>
>> I'm proposing to kick off a new 1.6.2 release that includes the fix for
>> https://issues.apache.org/jira/browse/KNOX-2702.
>>
>> Any objection?
>>
>> Cheers,
>> Sandor
>>
>

Re: [DISCUSS] - Upgrading Log4j to 2.17.1 on Knox 1.6 line

Posted by larry mccay <lm...@apache.org>.

We are not vulnerable to those issues as they are in log4j-core and we
don't use that in the 1.x line.
Why would we need to upgrade libs that are not dependent?

On Thu, Jan 13, 2022 at 6:47 AM Sandeep Moré <mo...@gmail.com> wrote:

> Awesome! that sounds great Sandor, thanks!
>
> On Thu, Jan 13, 2022 at 5:46 AM Sandor Molnar <sm...@cloudera.com.invalid>
> wrote:
>
>> Hi folks,
>>
>> with our recent v1.6.1 release (an announcement is about to be sent out)
>> we
>> are on 2.16.0 to mitigate the infamous  CVE-2021-44228
>> <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> security vulnerability.
>> However, there were subsequent security issues found and those
>> problems were addressed in later versions. For more information please
>> read
>> Log4J's security vulnerability page:
>> https://logging.apache.org/log4j/2.x/security.html
>>
>> I'm proposing to kick off a new 1.6.2 release that includes the fix for
>> https://issues.apache.org/jira/browse/KNOX-2702.
>>
>> Any objection?
>>
>> Cheers,
>> Sandor
>>
>

Re: [DISCUSS] - Upgrading Log4j to 2.17.1 on Knox 1.6 line

Posted by Sandeep Moré <mo...@gmail.com>.

Awesome! that sounds great Sandor, thanks!

On Thu, Jan 13, 2022 at 5:46 AM Sandor Molnar <sm...@cloudera.com.invalid>
wrote:

> Hi folks,
>
> with our recent v1.6.1 release (an announcement is about to be sent out) we
> are on 2.16.0 to mitigate the infamous  CVE-2021-44228
> <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> security vulnerability.
> However, there were subsequent security issues found and those
> problems were addressed in later versions. For more information please read
> Log4J's security vulnerability page:
> https://logging.apache.org/log4j/2.x/security.html
>
> I'm proposing to kick off a new 1.6.2 release that includes the fix for
> https://issues.apache.org/jira/browse/KNOX-2702.
>
> Any objection?
>
> Cheers,
> Sandor
>

Re: [DISCUSS] - Upgrading Log4j to 2.17.1 on Knox 1.6 line

Posted by Sandeep Moré <mo...@gmail.com>.

Awesome! that sounds great Sandor, thanks!

On Thu, Jan 13, 2022 at 5:46 AM Sandor Molnar <sm...@cloudera.com.invalid>
wrote:

> Hi folks,
>
> with our recent v1.6.1 release (an announcement is about to be sent out) we
> are on 2.16.0 to mitigate the infamous  CVE-2021-44228
> <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> security vulnerability.
> However, there were subsequent security issues found and those
> problems were addressed in later versions. For more information please read
> Log4J's security vulnerability page:
> https://logging.apache.org/log4j/2.x/security.html
>
> I'm proposing to kick off a new 1.6.2 release that includes the fix for
> https://issues.apache.org/jira/browse/KNOX-2702.
>
> Any objection?
>
> Cheers,
> Sandor
>