You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2021/12/19 06:07:17 UTC
[GitHub] [druid] FrankChen021 opened a new pull request #12081: Update to log4j2 to 2.17.0
FrankChen021 opened a new pull request #12081:
URL: https://github.com/apache/druid/pull/12081
Update to 2.17.0 to address another vulnerability [45015](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105) which also affects the previous 2.16.0 release.
Following is from [log4j site](https://logging.apache.org/log4j/2.x/security.html)
Since this CVE score is 7.5 which is lower than the value of previous CVE 45046 fixed in 2.16.0, I don't think we need release another Druid path release such as 0.22.2.
This PR has:
- [X] been self-reviewed.
- [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.)
- [ ] added documentation for new or modified features or behaviors.
- [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
- [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
- [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
- [ ] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met.
- [ ] added integration tests.
- [ ] been tested in a test Druid cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] GElkayam edited a comment on pull request #12081: Update to log4j2 to 2.17.0
Posted by GitBox <gi...@apache.org>.
GElkayam edited a comment on pull request #12081:
URL: https://github.com/apache/druid/pull/12081#issuecomment-997384365
Looking forward to see this in a version we can upgrade to, to clear CVE-2021-45105.
@FrankChen021 , please note that CVE-2021-45046 didn't start with a score of 9, and yet, this is causing headache to any sysadmin running druid. So it would make sense to release a version ASAP, IMHO.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] FrankChen021 commented on pull request #12081: Update to log4j2 to 2.17.0
Posted by GitBox <gi...@apache.org>.
FrankChen021 commented on pull request #12081:
URL: https://github.com/apache/druid/pull/12081#issuecomment-998404739
@eric-mann We're discussing the patch on the [dev channel](https://lists.apache.org/list.html?dev@druid.apache.org). You can subscribe it to by emailing dev-subscribe@druid.apache.org if you have not done so.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] GElkayam commented on pull request #12081: Update to log4j2 to 2.17.0
Posted by GitBox <gi...@apache.org>.
GElkayam commented on pull request #12081:
URL: https://github.com/apache/druid/pull/12081#issuecomment-997384365
Looking forward to see this in a version we can upgrade to.
@FrankChen021 , please note that CVE-2021-45046 didn't start with a score of 9, and yet, this is causing headache to any sysadmin running druid. So it would make sense to release a version ASAP, IMHO.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] eric-mann commented on pull request #12081: Update to log4j2 to 2.17.0
Posted by GitBox <gi...@apache.org>.
eric-mann commented on pull request #12081:
URL: https://github.com/apache/druid/pull/12081#issuecomment-998174714
> Druid's default log4j configuration does not use MDC pattern, so it's not affected ...
My attempt to use this Jedi mind trick on our security teams didn't work ... can I second the request to release a 0.22.2 with this fix included ASAP?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] suneet-s merged pull request #12081: Update to log4j2 to 2.17.0
Posted by GitBox <gi...@apache.org>.
suneet-s merged pull request #12081:
URL: https://github.com/apache/druid/pull/12081
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] FrankChen021 commented on pull request #12081: Update to log4j2 to 2.17.0
Posted by GitBox <gi...@apache.org>.
FrankChen021 commented on pull request #12081:
URL: https://github.com/apache/druid/pull/12081#issuecomment-997385447
@GElkayam CVE 45046 and 45105 allow attackers to control over MDC. Actually, Druid's default log4j configuration does not use MDC pattern, so it's not affected, I think we don't need to worry about them. Whether there's is a patch release, I started a mailing thread internally to discuss it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org