You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@heron.apache.org by Dave Fisher <wa...@apache.org> on 2021/12/14 00:43:28 UTC
Log4j 2.16.0 a more complete fix to Log4Shell
https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
Re: Log4j 2.16.0 a more complete fix to Log4Shell
Posted by Tim Allison <ta...@apache.org>.
This is the issue solved by 2.16.0:
https://www.cve.org/CVERecord?id=CVE-2021-45046
I think that 2.15.0 is probably good enough for now. We can upgrade
to 2.16.0 in 2.2.1, when we upgrade PDFBox and POI early in the new
year.
If anyone has a technical reason to think we should respin 2.2.0-rc1,
please vote/let us know.
Thank you, all!
Cheers,
Tim
On Mon, Dec 13, 2021 at 7:59 PM Tim Allison <ta...@apache.org> wrote:
>
> I'll dig deeper tomorrow, but I think we're ok with 2.15. I like what
> they've done with 2.16.0. :D
>
> On Mon, Dec 13, 2021 at 7:57 PM Dave Fisher <wa...@apache.org> wrote:
> >
> > You’ll need to evaluate that yourself.
> >
> > Sent from my iPhone
> >
> > > On Dec 13, 2021, at 4:56 PM, Tim Allison <ta...@apache.org> wrote:
> > >
> > > Do we have to do a respin of the release candidate or is this marginally better?
> > >
> > >> On Mon, Dec 13, 2021 at 7:43 PM Dave Fisher <wa...@apache.org> wrote:
> > >>
> > >> https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
> >
Re: Log4j 2.16.0 a more complete fix to Log4Shell
Posted by Tim Allison <ta...@apache.org>.
I'll dig deeper tomorrow, but I think we're ok with 2.15. I like what
they've done with 2.16.0. :D
On Mon, Dec 13, 2021 at 7:57 PM Dave Fisher <wa...@apache.org> wrote:
>
> You’ll need to evaluate that yourself.
>
> Sent from my iPhone
>
> > On Dec 13, 2021, at 4:56 PM, Tim Allison <ta...@apache.org> wrote:
> >
> > Do we have to do a respin of the release candidate or is this marginally better?
> >
> >> On Mon, Dec 13, 2021 at 7:43 PM Dave Fisher <wa...@apache.org> wrote:
> >>
> >> https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
>
Re: Log4j 2.16.0 a more complete fix to Log4Shell
Posted by Dave Fisher <wa...@apache.org>.
You’ll need to evaluate that yourself.
Sent from my iPhone
> On Dec 13, 2021, at 4:56 PM, Tim Allison <ta...@apache.org> wrote:
>
> Do we have to do a respin of the release candidate or is this marginally better?
>
>> On Mon, Dec 13, 2021 at 7:43 PM Dave Fisher <wa...@apache.org> wrote:
>>
>> https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
Re: Log4j 2.16.0 a more complete fix to Log4Shell
Posted by Tim Allison <ta...@apache.org>.
Do we have to do a respin of the release candidate or is this marginally better?
On Mon, Dec 13, 2021 at 7:43 PM Dave Fisher <wa...@apache.org> wrote:
>
> https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
Re: Log4j 2.16.0 a more complete fix to Log4Shell
Posted by Michael Marshall <mm...@apache.org>.
Thanks for the note, Dave.
I created a PR to bump the version in Pulsar [0].
Thanks,
Michael
[0] https://github.com/apache/pulsar/pull/13277
On Mon, Dec 13, 2021 at 6:43 PM Dave Fisher <wa...@apache.org> wrote:
>
> https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4