I am looking at the release-2.x branch. I will set it to 1.0.0-SNAPSHOT soon (AFK)
Gary On Thu, Dec 10, 2020, 16:51 Ralph Goers <ralph.go...@dslextreme.com> wrote: > Its version is currently 3.0.0-SNAPSHOT but I don’t know why. I think it > should be set to 1.0.0. We aren’t going to do a release of log4j-tools > very often. Certainly not as frequently as log4j itself. It hardly ever > changes. It needs an independent versioning scheme. > > Ralph > > > On Dec 10, 2020, at 1:50 PM, Gary Gregory <garydgreg...@gmail.com> > wrote: > > > > I think the log4j-tools version should be set to 2.14.0 for a RC to match > > the release of log4j. Thoughts? > > > > Gary > > > > On Thu, Dec 10, 2020, 15:45 Ralph Goers <ralph.go...@dslextreme.com> > wrote: > > > >> OK. Then I guess I forgot since it has been so long. > >> > >> Ralph > >> > >>> On Dec 10, 2020, at 1:09 PM, Gary Gregory <garydgreg...@gmail.com> > >> wrote: > >>> > >>> But there *is* an allowed list of Java classes and packages configured > >>> in org.apache.logging.log4j.util.FilteredObjectInputStream which the > >>> log4j-server module's servers uses through > >> ObjectInputStreamLogEventBridge. > >>> > >>> Gary > >>> > >>> On Thu, Dec 3, 2020 at 10:33 AM Ralph Goers < > ralph.go...@dslextreme.com> > >>> wrote: > >>> > >>>> There is a Jira issue to do that but as far as I know the Security bug > >> was > >>>> never addressed in that code. In a quick glance at it I still see it > >>>> supporting Java serialized objects without any kind of whitelisting. I > >>>> don’t see anything in that repo besides the log server and I wouldn’t > >> want > >>>> to release something with known security problems. > >>>> > >>>> Ralph > >>>> > >>>>> On Dec 3, 2020, at 8:09 AM, Gary Gregory <garydgreg...@gmail.com> > >> wrote: > >>>>> > >>>>> Hi All: > >>>>> > >>>>> We've never released from > >>>>> https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and > I'm > >>>>> currently using a SNAPSHOT build. Any thoughts on releasing from > there? > >>>>> > >>>>> Gary > >>>> > >>>> > >>>> > >> > >> > >> > > >
