You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@livy.apache.org by "Larry McCay (Jira)" <ji...@apache.org> on 2023/01/16 18:32:00 UTC
[jira] [Commented] (LIVY-878) Log4j upgrade for Livy 0.7.0 version
[ https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17677491#comment-17677491 ]
Larry McCay commented on LIVY-878:
----------------------------------
[~dacort] - curious what your thoughts are on the above discussion.
Have you made any additional progress on PR [https://github.com/apache/incubator-livy/pull/381/files] ?
What do you think are the next steps here?
> Log4j upgrade for Livy 0.7.0 version
> -------------------------------------
>
> Key: LIVY-878
> URL: https://issues.apache.org/jira/browse/LIVY-878
> Project: Livy
> Issue Type: Sub-task
> Reporter: Tinu Jose
> Assignee: Damon Cortesi
> Priority: Major
> Fix For: 0.8.0
>
>
> We are looking for an advise from you in context of the below mentioned issue:
>
> *A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021.*
> *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.*
>
> Apache Livy version 0.7.0 version is being used by our team for processing the spark jobs . It uses the Log4j 1.x.x. which is not having any continued support.
> We would like to upgrade the Log4j versions to the latest stable version 2.15 without having any impact on the installations .
>
> Could you please recommend the possible ways to do the upgrade .Please note , we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue .
> Our requirement is to retain the current installed version and configurations with only changes in the Log4j versions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)