You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/07/30 14:51:27 UTC
[GitHub] [pulsar] liudezhi2098 opened a new pull request, #16884: [improve][broker] Upgrade log4j2 version to 2.18.0
liudezhi2098 opened a new pull request, #16884:
URL: https://github.com/apache/pulsar/pull/16884
### Motivation
2.0 <= Apache log4j2 < 2.18.0, there are serious vulnerabilities that require urgent fixes
### Documentation
- [x] `no-need-doc`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] HQebupt commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
HQebupt commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200371700
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] RobertIndie commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
RobertIndie commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200852257
This test seem fails many times in this PR: `EnvironmentBasedSecretsProviderTest.testConfigValidation`
https://github.com/apache/pulsar/runs/7597134951?check_suite_focus=true
```
java.lang.AssertionError: expected [SecretValue] but found [null]
at org.testng.Assert.fail(Assert.java:99)
at org.testng.Assert.failNotEquals(Assert.java:1037)
at org.testng.Assert.assertEqualsImpl(Assert.java:140)
at org.testng.Assert.assertEquals(Assert.java:122)
at org.testng.Assert.assertEquals(Assert.java:629)
at org.testng.Assert.assertEquals(Assert.java:639)
at org.apache.pulsar.functions.secretsprovider.EnvironmentBasedSecretsProviderTest.testConfigValidation(EnvironmentBasedSecretsProviderTest.java:37)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Jason918 commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
Jason918 commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1204882485
Move `release/2.7.5` label to https://github.com/apache/pulsar/pull/16942
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] merlimat commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
merlimat commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200362466
> Release notes https://logging.apache.org/log4j/2.x/changes-report.html
I think we should be a bit more specific here on which particular issue.
>@liudezhi2098 if you think that there is a high security risk then please do not send a PR but reach out to [private@pulsar.apache.org](mailto:private@pulsar.apache.org) to discuss the problem.
Disclosing a security issue on GH means to disclose it to the public and put pressure on the whole community
If there's already a security issue in Log4j it means the issue is already public. There's no need for secrecy at this point.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] liudezhi2098 commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
liudezhi2098 commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200755913
> @liudezhi2098 Please provide a correct documentation label for your PR. Instructions see [Pulsar Documentation Label Guide](https://docs.google.com/document/d/1Qw7LHQdXWBW9t2-r-A7QdFDBwmZh6ytB4guwMoXHqc0).
updated
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] mattisonchao commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
mattisonchao commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1210812072
#16995 cherry-picked this PR. So remove the label.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] github-actions[bot] commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200186754
@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see [Pulsar Documentation Label Guide](https://docs.google.com/document/d/1Qw7LHQdXWBW9t2-r-A7QdFDBwmZh6ytB4guwMoXHqc0).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1201404089
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] github-actions[bot] commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200371886
@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see [Pulsar Documentation Label Guide](https://docs.google.com/document/d/1Qw7LHQdXWBW9t2-r-A7QdFDBwmZh6ytB4guwMoXHqc0).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] liudezhi2098 commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
liudezhi2098 commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200756858
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1201512995
Well. I fixed this issue locally. Here is a patch you can make use of:
```patch
diff --git a/pom.xml b/pom.xml
index a6ce94fe734..2d093f1f1eb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -95,7 +95,8 @@ flexible messaging model and an intuitive client API.</description>
<test.additional.args>
--add-opens java.base/jdk.internal.loader=ALL-UNNAMED
--add-opens java.base/java.lang=ALL-UNNAMED <!--Mockito-->
- --add-opens java.base/java.io=ALL-UNNAMED <!--Bookkeeper NativeIO -->
+ --add-opens java.base/java.io=ALL-UNNAMED <!--Bookkeeper NativeIO-->
+ --add-opens java.base/java.util=ALL-UNNAMED <!--System Lambda-->
--add-opens java.base/sun.net=ALL-UNNAMED <!--netty.DnsResolverUtil-->
--add-opens java.management/sun.management=ALL-UNNAMED <!--JvmDefaultGCMetricsLogger-->
</test.additional.args>
@@ -1294,6 +1295,13 @@ flexible messaging model and an intuitive client API.</description>
</dependencyManagement>
<dependencies>
+ <dependency>
+ <groupId>com.github.stefanbirkner</groupId>
+ <artifactId>system-lambda</artifactId>
+ <version>1.2.1</version>
+ <scope>test</scope>
+ </dependency>
+
<!-- These dependencies are common to all the submodules -->
<dependency>
<groupId>org.apache.pulsar</groupId>
diff --git a/pulsar-functions/secrets/src/test/java/org/apache/pulsar/functions/secretsprovider/EnvironmentBasedSecretsProviderTest.java b/pulsar-functions/secrets/src/test/java/org/apache/pulsar/functions/secretsprovider/EnvironmentBasedSecretsProviderTest.java
index 8dbc880fa16..22ef2dd9e60 100644
--- a/pulsar-functions/secrets/src/test/java/org/apache/pulsar/functions/secretsprovider/EnvironmentBasedSecretsProviderTest.java
+++ b/pulsar-functions/secrets/src/test/java/org/apache/pulsar/functions/secretsprovider/EnvironmentBasedSecretsProviderTest.java
@@ -21,11 +21,7 @@ package org.apache.pulsar.functions.secretsprovider;
import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertNull;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import org.powermock.reflect.Whitebox;
+import com.github.stefanbirkner.systemlambda.SystemLambda;
import org.testng.annotations.Test;
public class EnvironmentBasedSecretsProviderTest {
@@ -33,22 +29,8 @@ public class EnvironmentBasedSecretsProviderTest {
public void testConfigValidation() throws Exception {
EnvironmentBasedSecretsProvider provider = new EnvironmentBasedSecretsProvider();
assertNull(provider.provideSecret("mySecretName", "Ignored"));
- injectEnvironmentVariable("mySecretName", "SecretValue");
- assertEquals(provider.provideSecret("mySecretName", "Ignored"), "SecretValue");
- }
-
- private static void injectEnvironmentVariable(String key, String value)
- throws Exception {
-
- Class<?> processEnvironment = Class.forName("java.lang.ProcessEnvironment");
- Map<String,String> unmodifiableMap = new HashMap<>(Whitebox
- .getInternalState(processEnvironment, "theUnmodifiableEnvironment"));
- unmodifiableMap.put(key, value);
- Whitebox.setInternalState(processEnvironment, "theUnmodifiableEnvironment", unmodifiableMap);
-
- Map<String,String> envMap = new HashMap<>(Whitebox
- .getInternalState(processEnvironment, "theEnvironment"));
- envMap.put(key, value);
- Whitebox.setInternalState(processEnvironment, "theEnvironment", envMap);
+ SystemLambda.withEnvironmentVariable("mySecretName", "SecretValue").execute(() -> {
+ assertEquals(provider.provideSecret("mySecretName", "Ignored"), "SecretValue");
+ });
}
}
```
I guess the reason is that `Whitebox` failed to set the unmodifiableMap with log4j2 2.18.0 while I don't have an idea how it happens.
I don't like powermock as it's lack of maintenance. It seems all usage of powermock is `Whitebox`. We can get rid of it with simple reflections. This can be a separated issue, though.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] BewareMyPower commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
BewareMyPower commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1202199709
Move `release/2.8.4` label to https://github.com/apache/pulsar/pull/16914.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] liudezhi2098 commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
liudezhi2098 commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1202068028
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] github-actions[bot] commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200191129
@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see [Pulsar Documentation Label Guide](https://docs.google.com/document/d/1Qw7LHQdXWBW9t2-r-A7QdFDBwmZh6ytB4guwMoXHqc0).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1202015985
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] eolivelli commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
eolivelli commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200360742
Release notes
https://logging.apache.org/log4j/2.x/changes-report.html
@liudezhi2098 if you think that there is a high security risk then please do not send a PR but reach out to private@pulsar.apache.org to discuss the problem.
Disclosing a security issue on GH means to disclose it to the public and put pressure on the whole community
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] merlimat commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
merlimat commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200353757
@liudezhi2098 Can you link to the Log4j CVE in the PR description?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] github-actions[bot] commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200188949
@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see [Pulsar Documentation Label Guide](https://docs.google.com/document/d/1Qw7LHQdXWBW9t2-r-A7QdFDBwmZh6ytB4guwMoXHqc0).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1201519411
`TestEnvVarResolverProperties` can suffer the same issue, let me prepare a pull request onto this one..
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] liudezhi2098 commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
liudezhi2098 commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200328968
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1201446032
I can reproduce steadily as the test command:
```
mvn -B -ntp -DskipSourceReleaseAssembly=true -DskipBuildDistribution=true -Dspotbugs.skip=true -Dlicense.skip=true -Dcheckstyle.skip=true -Drat.skip=true clean install -pl '!org.apache.pulsar:distribution,!org.apache.pulsar:pulsar-offloader-distribution,!org.apache.pulsar:pulsar-server-distribution,!org.apache.pulsar:pulsar-io-distribution,!org.apache.pulsar:pulsar-metadata,!org.apache.pulsar:pulsar-common' -PskipTestsForUnitGroupOther -DdisableIoMainProfile=true -DdisableSqlMainProfile=true -DskipIntegrationTests '-Dexclude=**/ManagedLedgerTest.java,
**/OffloadersCacheTest.java
**/PrimitiveSchemaTest.java,
BlobStoreManagedLedgerOffloaderTest.java'
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] liudezhi2098 commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
liudezhi2098 commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1201080815
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1202069598
`testJavaLoggingFunction` is really a pain.
I ever read the logic and it seems all good but perhaps resource consumptive so that we cannot receive messages in time, especially when CI is overwhelmed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] liudezhi2098 merged pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
liudezhi2098 merged PR #16884:
URL: https://github.com/apache/pulsar/pull/16884
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1201460473
Perhaps related to this change https://github.com/apache/logging-log4j2/commit/aaf13561e7dab88f379904461c75ed7a7ffef8d5#diff-76c7467e6213a4df2a9aaa05aa0d822f6cef6506a5bbbfdf447b2c1670c0bf4b
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] dave2wave commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
dave2wave commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1201516917
The last CVE reported against Log4J was fixed in 2.17.1 - as an Apache Software Foundation Member I am able to look and there is nothing known to the Apache Logging security team. If you know of a vulnerability then you should report this privately to security@logging.apache.org immediately so all of the thousands of projects dependent on Log4J 2 can benefit from a fix.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] liudezhi2098 commented on a diff in pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
liudezhi2098 commented on code in PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#discussion_r933823012
##########
pom.xml:
##########
@@ -132,7 +132,7 @@ flexible messaging model and an intuitive client API.</description>
<rocksdb.version>6.29.4.1</rocksdb.version>
<slf4j.version>1.7.32</slf4j.version>
<commons.collections4.version>4.4</commons.collections4.version>
- <log4j2.version>2.17.1</log4j2.version>
+ <log4j2.version>2.18.0</log4j2.version>
Review Comment:
OK
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] github-actions[bot] commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200361923
@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see [Pulsar Documentation Label Guide](https://docs.google.com/document/d/1Qw7LHQdXWBW9t2-r-A7QdFDBwmZh6ytB4guwMoXHqc0).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] github-actions[bot] commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200361925
@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see [Pulsar Documentation Label Guide](https://docs.google.com/document/d/1Qw7LHQdXWBW9t2-r-A7QdFDBwmZh6ytB4guwMoXHqc0).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] mattisonchao commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
mattisonchao commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1205028793
@liudezhi2098 Would you like cherry-pick this PR to branch-2.9?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] liudezhi2098 commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
liudezhi2098 commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1201155027
> EnvironmentBasedSecretsProviderTest
It should have nothing to do with this PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] hangc0276 commented on a diff in pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
hangc0276 commented on code in PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#discussion_r933821025
##########
pom.xml:
##########
@@ -132,7 +132,7 @@ flexible messaging model and an intuitive client API.</description>
<rocksdb.version>6.29.4.1</rocksdb.version>
<slf4j.version>1.7.32</slf4j.version>
<commons.collections4.version>4.4</commons.collections4.version>
- <log4j2.version>2.17.1</log4j2.version>
+ <log4j2.version>2.18.0</log4j2.version>
Review Comment:
We also need to update versions in license files.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] liudezhi2098 commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
liudezhi2098 commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200322311
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1201406715
@RobertIndie I cannot reproduce locally. It seems the test should be correct when run alone.
Perhaps the `unmodifiableMap` gets set in different test cases. And I think for the specific test `EnvironmentBasedSecretsProviderTest`, we don't have to test `System.getenv` and just remove the test class.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] liudezhi2098 commented on pull request #16884: [fix][broker] Upgrade log4j2 version to 2.18.0
Posted by GitBox <gi...@apache.org>.
liudezhi2098 commented on PR #16884:
URL: https://github.com/apache/pulsar/pull/16884#issuecomment-1200559025
> Release notes https://logging.apache.org/log4j/2.x/changes-report.html
>
> @liudezhi2098 if you think that there is a high security risk then please do not send a PR but reach out to [private@pulsar.apache.org](mailto:private@pulsar.apache.org) to discuss the problem. Disclosing a security issue on GH means to disclose it to the public and put pressure on the whole community
Understood, thanks for the correction.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org