You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@phoenix.apache.org by GitBox <gi...@apache.org> on 2021/12/13 18:29:57 UTC

[GitHub] [phoenix-connectors] stoty commented on pull request #68: PHOENIX-6610 [Phoenix-connectors] Upgrade Log4j dependency to address CVE-2021-44228

stoty commented on pull request #68:
URL: https://github.com/apache/phoenix-connectors/pull/68#issuecomment-992753147


   My PR #67 for PHOENIX-6609  has the same version bump, but without the exclusions.
   
   Our (unshaded) non-test dependencies don't include log4j2, and the shaded connectors set all hive dependencies to provided, so the shaded artifacts don't have log4j2 classes either.
   
   [stoty@IstvanToth-MBP15] ~/workspaces/apache-phoenix/phoenix-connectors/phoenix-hive-base (PHOENIX-6609)$ jar tfv phoenix5-hive-shaded/target/phoenix5-hive-shaded-6.0.0-SNAPSHOT.jar |grep org/apache/logging/log4j
   [stoty@IstvanToth-MBP15] ~/workspaces/apache-phoenix/phoenix-connectors/phoenix-hive-base (PHOENIX-6609)$ jar tfv phoenix4-hive-shaded/target/phoenix4-hive-shaded-6.0.0-SNAPSHOT.jar |grep org/apache/logging/log4j
   [stoty@IstvanToth-MBP15] ~/workspaces/apache-phoenix/phoenix-connectors/phoenix-hive-base (PHOENIX-6609)$
   
   I think the exclusions you're adding are redundant.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@phoenix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org