Re: CI red

2022-01-18 Thread Matt Sicker
I'm ok with removing the Jenkins builds, but we'll need a way to publish snapshot builds (or stop doing that). On Tue, Jan 18, 2022 at 3:11 PM Volkan Yazıcı wrote: > > +1 with sticking to only GitHub Actions and dropping the rest (Jenkins?) > > I had actually proposed this in the past, but Ralph

Re: CI red

2022-01-18 Thread Volkan Yazıcı
+1 with sticking to only GitHub Actions and dropping the rest (Jenkins?) I had actually proposed this in the past, but Ralph back then still wanted to keep Jenkins for architecture diversity. A partially working CI undermines the entire trust to itself, hence translates to a no-CI in practice. O

CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.

2022-01-18 Thread Ralph Goers
Severity: Critical Description: CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. Mitigation: Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0. Credit: @

CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1

2022-01-18 Thread Ralph Goers
Severity: high Description: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQ

CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x

2022-01-18 Thread Ralph Goers
Severity: high Description: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConne

Re: CI red

2022-01-18 Thread Xeno Amess
I see the icons. They are travis ci badges... Should be removed when we abandon travis ci XenoAmess From: Xeno Amess Sent: Tuesday, January 18, 2022 9:13:50 PM To: dev@logging.apache.org Subject: Re: CI red at which repo? XenoAmess _

Re: CI red

2022-01-18 Thread Xeno Amess
at which repo? XenoAmess From: Gary Gregory Sent: Tuesday, January 18, 2022 8:41:51 PM To: Apache Logging Developers List Subject: CI red We have red CI builds all the time. Why? I don't really care but I see that the GitHub portions of the builds are green all

CI red

2022-01-18 Thread Gary Gregory
We have red CI builds all the time. Why? I don't really care but I see that the GitHub portions of the builds are green all the time. So can we please drop the red parts? Gary