You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@helix.apache.org by GitBox <gi...@apache.org> on 2021/12/16 21:58:12 UTC
[GitHub] [helix] brentwritescode opened a new pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
brentwritescode opened a new pull request #1922:
URL: https://github.com/apache/helix/pull/1922
### Issues
- [x] My PR addresses the following Helix issues and references them in the PR description:
Fixes #1921
### Description
- [x] Here are some details about my PR, including screenshots of any UI changes:
As referenced in the original issue, Log4j has been the subject of multiple critical vulnerabilities. The latest advice is to abandon Log4j 1.x and Log4j <= 2.15 in favor of Log4j 2.16.0 which reliability patches these issues. See https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.
In the context of Helix, this involved a few things:
- Replacing the `slf4j-log4j12` v1.7.14 package with the `log4j-to-slf4j` package v2.16.0
- Upgrading SLF4J API to v.1.7.32 (latest) from v1.7.25
- Adding the `-Dlog4j2.formatMsgNoLookups=true` Java VM flag to all CLI tools (while not strictly necessary in v2.16.0, it's a second failsafe)
- Removing the unused `org.apache.helix.tools.CLMLogFileAppender` class (the only place CLMLogFileAppender is referenced is in Log4j properties files and from a different package than this one). Custom appenders look way different in Log4j2.
- `org.slf4j.slf4j-simple` was added to test dependencies in a few places to remove errors with the SLF4J factory not being found
- `helix-core` specifically needed `log4j-core` added as well to provide an actual logging implementation to back SLF4J
- `org.apache.helix.zookeeper.zkclient.ZkServer` was updated to change a direct Log4j 1.x reference to use SLF4J
- In `zookeeper-api` the `org.apache.zookeeper` dependency was updated with exclusion rules on SLF4J and Log4J because it was still pulling in the old vulnerable versions. As far as I'm aware, Zookeeper hasn't issued a patch yet.
This ended up rippling out into more places than I expected, partly due to the Zookeeper dependency still bringing in vulnerable versions and partly due to a few places in code referencing Log4j 1.x APIs/packages/classes directly.
### Tests
- [x] The following tests are written for this issue:
n/a
- The following is the result of the "mvn test" command on the appropriate module:
I ran all the tests (results below), though the `helix-core` seems to not be able to make it all the way to the end of the test run without running into "Out of Memory" errors on my Mac. I think I need some external verification to make sure that's just my machine and not an actual issue with the library upgrade.
I'm planning on deploying a freshly built Helix controller to one of our test environments to try to verify everything else still looks ok.
```
metrics-common
[INFO] Tests run: 0, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ metrics-common ---
[INFO] Loading execution data file /Users/bnash/code/helix-cve-fork/metrics-common/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: Metrics Common' with 8 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.904 s
[INFO] Finished at: 2021-12-16T09:47:33-08:00
[INFO] ------------------------------------------------------------------------
metadata-store-directory-common
[INFO] Tests run: 31, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ metadata-store-directory-common ---
[INFO] Loading execution data file /Users/bnash/code/helix-cve-fork/metadata-store-directory-common/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: Metadata Store Directory Common' with 7 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15.906 s
[INFO] Finished at: 2021-12-16T09:53:18-08:00
[INFO] ------------------------------------------------------------------------
zookeeper-api
[INFO] Tests run: 54, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ zookeeper-api ---
[INFO] Loading execution data file /Users/bnash/code/helix-cve-fork/zookeeper-api/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: ZooKeeper API' with 115 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10:26 min
[INFO] Finished at: 2021-12-16T09:46:11-08:00
[INFO] ------------------------------------------------------------------------
recipes
[INFO] Tests run: 0, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ service-discovery ---
[INFO] Loading execution data file /Users/bnash/code/helix-cve-fork/recipes/service-discovery/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: Recipes :: service discovery' with 8 classes
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Apache Helix :: Recipes 1.0.3-SNAPSHOT:
[INFO]
[INFO] Apache Helix :: Recipes ............................ SUCCESS [ 0.706 s]
[INFO] Apache Helix :: Recipes :: Rabbitmq Consumer Group . SUCCESS [ 4.474 s]
[INFO] Apache Helix :: Recipes :: Rsync Replicated File Store SUCCESS [ 2.493 s]
[INFO] Apache Helix :: Recipes :: distributed lock manager SUCCESS [ 2.464 s]
[INFO] Apache Helix :: Recipes :: distributed task execution SUCCESS [ 2.505 s]
[INFO] Apache Helix :: Recipes :: service discovery ....... SUCCESS [ 2.441 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15.595 s
[INFO] Finished at: 2021-12-16T09:55:48-08:00
[INFO] ------------------------------------------------------------------------
helix-admin-webapp
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ helix-admin-webapp ---
[INFO] Skipping JaCoCo execution due to missing execution data file.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.295 s
[INFO] Finished at: 2021-12-16T10:02:21-08:00
[INFO] ------------------------------------------------------------------------
helix-lock
[INFO] Tests run: 11, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ helix-lock ---
[INFO] Loading execution data file /Users/bnash/code/helix-cve-fork/helix-lock/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: Distributed Lock' with 13 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:58 min
[INFO] Finished at: 2021-12-16T10:05:51-08:00
[INFO] ------------------------------------------------------------------------
helix-front
???
helix-rest
[INFO] Tests run: 180, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ helix-rest ---
[INFO] Loading execution data file /Users/bnash/code/helix-cve-fork/helix-rest/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: Restful Interface' with 87 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 03:38 min
[INFO] Finished at: 2021-12-16T10:25:47-08:00
[INFO] ------------------------------------------------------------------------
website
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ 1.0.2-docs ---
[INFO] Loading execution data file /Users/bnash/code/helix-cve-fork/website/1.0.2/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: Website :: 1.0.2' with 0 classes
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Apache Helix :: Website 1.0.3-SNAPSHOT:
[INFO]
[INFO] Apache Helix :: Website ............................ SUCCESS [ 0.943 s]
[INFO] Apache Helix :: Website :: 0.9.8 ................... SUCCESS [ 3.082 s]
[INFO] Apache Helix :: Website :: 0.9.9 ................... SUCCESS [ 1.143 s]
[INFO] Apache Helix :: Website :: 1.0.1 ................... SUCCESS [ 1.159 s]
[INFO] Apache Helix :: Website :: 1.0.2 ................... SUCCESS [ 1.162 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.088 s
[INFO] Finished at: 2021-12-16T10:21:19-08:00
[INFO] ------------------------------------------------------------------------
helix-agent
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ helix-agent ---
[INFO] Skipping JaCoCo execution due to missing execution data file.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.347 s
[INFO] Finished at: 2021-12-16T10:30:53-08:00
[INFO] ------------------------------------------------------------------------
helix-common
[INFO] Tests run: 0, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ helix-common ---
[INFO] Loading execution data file /Users/bnash/code/helix-cve-fork/helix-common/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: Helix Common' with 136 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 5.826 s
[INFO] Finished at: 2021-12-16T10:33:58-08:00
[INFO] ------------------------------------------------------------------------
helix-core
[INFO] Results:
[INFO]
[ERROR] Failures:
[ERROR] TestConfigAccessor.testBasic:50 » OutOfMemory unable to create new native thre...
[ERROR] TestConfigAccessor.testDeleteCloudConfig:329 » OutOfMemory unable to create ne...
[ERROR] TestConfigAccessor.testSetRestConfig:219 » OutOfMemory unable to create new na...
...
[ERROR] Tests run: 1331, Failures: 133, Errors: 0, Skipped: 90
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:33 h
[INFO] Finished at: 2021-12-16T12:16:35-08:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M3:test (default-test) on project helix-core: There are test failures.
[ERROR]
[ERROR] Please refer to /Users/bnash/code/helix-cve-fork/helix-core/target/surefire-reports for the individual test results.
[ERROR] Please refer to dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
```
### Changes that Break Backward Compatibility (Optional)
- My PR contains changes that break backward compatibility or previous assumptions for certain methods or API. They include:
Nothing breaks a user-facing API as far as I'm aware, however, developers should emphasize relying on SLF4J APIs rather than Log4j ones to keep the necessary abstraction in place.
### Commits
- My commits all reference appropriate Apache Helix GitHub issues in their subject lines. In addition, my commits follow the guidelines from "[How to write a good git commit message](http://chris.beams.io/posts/git-commit/)":
1. Subject is separated from body by a blank line
1. Subject is limited to 50 characters (not including Jira issue reference)
1. Subject does not end with a period
1. Subject uses the imperative mood ("add", not "adding")
1. Body wraps at 72 characters
1. Body explains "what" and "why", not "how"
### Code Quality
- My diff has been formatted using helix-style.xml
(helix-style-intellij.xml if IntelliJ IDE is used)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] brentwritescode commented on pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
brentwritescode commented on pull request #1922:
URL: https://github.com/apache/helix/pull/1922#issuecomment-996845269
Did some more testing this morning on the actual generated shell scripts and am seeing some instances of:
```
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
```
Which would imply the logging dependencies are not entirely correct and the SLF4J bridge is missing. Looking into it and will push an update if/when I have it sorted out.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] junkaixue merged pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
junkaixue merged pull request #1922:
URL: https://github.com/apache/helix/pull/1922
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] brentwritescode commented on pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
brentwritescode commented on pull request #1922:
URL: https://github.com/apache/helix/pull/1922#issuecomment-1009475553
Thanks @junkaixue !
Let me know if I can help or answer any questions at all.
In case you see the periodic PR runs, I'm done updating the code (everything is pointing to Log4j 2.17.1 now), but I've been using GitHub's merge from master functionality to keep this PR up to date with the master branch.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] junkaixue commented on pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
junkaixue commented on pull request #1922:
URL: https://github.com/apache/helix/pull/1922#issuecomment-996234539
Thanks @brentwritescode for working on this. Seemed there are lots of test failure. Not sure whether it introduced by the change or due to your local laptop problem.
Maybe we need to run the test with your change to verify the reason before we merge your code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] junkaixue commented on pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
junkaixue commented on pull request #1922:
URL: https://github.com/apache/helix/pull/1922#issuecomment-1006092303
I run the patch. It passes all the tests in core.
[INFO] Tests run: 1287, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5,208.086 s - in TestSuite
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 1287, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- jacoco-maven-plugin:0.8.6:report (generate-code-coverage-report) @ helix-core ---
[INFO] Loading execution data file /home/jxue/helixtest/helix-core/target/jacoco.exec
[INFO] Analyzed bundle 'Apache Helix :: Core' with 912 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:26 h
[INFO] Finished at: 2022-01-05T13:17:24-08:00
[INFO] Final Memory: 41M/1037M
[INFO] ------------------------------------------------------------------------
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] brentwritescode commented on pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
brentwritescode commented on pull request #1922:
URL: https://github.com/apache/helix/pull/1922#issuecomment-1006119567
Thanks! The Log4j folks put out two new versions (2.17.0 and 2.17.1) to address more vulnerabilities that have been discovered, so my last two commits were upgrading 2.16.0 -> 2.17.0 and then 2.17.0 -> 2.17.1.
Definitely worth running things (e.g. the controller) standalone to make sure logs are still coming out like you expect them to.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] brentwritescode commented on pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
brentwritescode commented on pull request #1922:
URL: https://github.com/apache/helix/pull/1922#issuecomment-997131300
Alright, I think I figured out where I went wrong. I mixed up the Maven package names. `log4j-to-slf4j` routes from Log4j2->SLF4j whereas `log4j-slf4j-impl` routes from SLF4J->Log4j2 (which is what we want). After that fix the rest of the issues cropped up as expected and I was able to update the command lines and log4j.properties files to comply with Log4j2 configuration.
I ran all the unit tests successfully locally again (minus helix-core which I'm going to let run in CI since I had issues with it previously) and then I was able to successfully run a lot of the command line tools (run-rest-admin, start-helix-agent, run-helix-controller, etc.) and verify that they were logging as expected and the output matched the current 1.0.2 release.
Fingers crossed that the tests pass and we can go from there. Thanks for your patience!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] brentwritescode commented on pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
brentwritescode commented on pull request #1922:
URL: https://github.com/apache/helix/pull/1922#issuecomment-996263339
Agreed completely. All the failures I saw were Out of Memory errors. That `helix-core` set of unit tests takes an hour or so to run on my laptop. I'll see if I can reboot and run it fresh and see what happens, but if you all have a good way of checking out the branch and running the tests elsewhere to verify, that would probably really helpful.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] brentwritescode commented on pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
brentwritescode commented on pull request #1922:
URL: https://github.com/apache/helix/pull/1922#issuecomment-996293069
Looks like two tests failed on the CI run:
```
[info] ./helix-core/target/surefire-reports/TestSuite.txt: Tests run: 1287, Failures: 2, Errors: 0, Skipped: 0, Time elapsed: 6,816.116 s <<< FAILURE! - in TestSuite
Error: Test failed: testAggregateMetrics(org.apache.helix.monitoring.mbeans.TestClusterAggregateMetrics) Time elapsed: 0.041 s <<< FAILURE!
Error: Test failed: testStateTransitionTimeoutByClusterLevel(org.apache.helix.integration.paticipant.TestStateTransitionTimeoutWithResource) Time elapsed: 17.987 s <<< FAILURE!
```
On a good note, re-running them locally seems to succeed:
```
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 71.291 s - in org.apache.helix.monitoring.mbeans.TestClusterAggregateMetrics
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 79.696 s - in org.apache.helix.integration.paticipant.TestStateTransitionTimeoutWithResource
```
So luckily it looks like all those out-of-memory issues were specific to my laptop testing setup.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] junkaixue commented on pull request #1922: Upgrade Log4j to 2.16.0 to address CVE-2021-44228
Posted by GitBox <gi...@apache.org>.
junkaixue commented on pull request #1922:
URL: https://github.com/apache/helix/pull/1922#issuecomment-1006092841
Need final go through PR again.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org