Its version is currently 3.0.0-SNAPSHOT but I don’t know why. I think it should be set to 1.0.0. We aren’t going to do a release of log4j-tools very often. Certainly not as frequently as log4j itself. It hardly ever changes. It needs an independent versioning scheme.
Ralph > On Dec 10, 2020, at 1:50 PM, Gary Gregory <garydgreg...@gmail.com> wrote: > > I think the log4j-tools version should be set to 2.14.0 for a RC to match > the release of log4j. Thoughts? > > Gary > > On Thu, Dec 10, 2020, 15:45 Ralph Goers <ralph.go...@dslextreme.com> wrote: > >> OK. Then I guess I forgot since it has been so long. >> >> Ralph >> >>> On Dec 10, 2020, at 1:09 PM, Gary Gregory <garydgreg...@gmail.com> >> wrote: >>> >>> But there *is* an allowed list of Java classes and packages configured >>> in org.apache.logging.log4j.util.FilteredObjectInputStream which the >>> log4j-server module's servers uses through >> ObjectInputStreamLogEventBridge. >>> >>> Gary >>> >>> On Thu, Dec 3, 2020 at 10:33 AM Ralph Goers <ralph.go...@dslextreme.com> >>> wrote: >>> >>>> There is a Jira issue to do that but as far as I know the Security bug >> was >>>> never addressed in that code. In a quick glance at it I still see it >>>> supporting Java serialized objects without any kind of whitelisting. I >>>> don’t see anything in that repo besides the log server and I wouldn’t >> want >>>> to release something with known security problems. >>>> >>>> Ralph >>>> >>>>> On Dec 3, 2020, at 8:09 AM, Gary Gregory <garydgreg...@gmail.com> >> wrote: >>>>> >>>>> Hi All: >>>>> >>>>> We've never released from >>>>> https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm >>>>> currently using a SNAPSHOT build. Any thoughts on releasing from there? >>>>> >>>>> Gary >>>> >>>> >>>> >> >> >>
