Re: [VOTE] Release Log4j 2.15.1-rc1

I agree too. I was just worried that we wouldn't remove Message Lookups until 3.x. Removing them in the next minor release (2.16.0) is reasonable. On 2021-12-13 10:12, Volkan Yazıcı wrote: I agree with both of your points Remko. On Mon, Dec 13, 2021 at 2:40 AM Remko Popma wrote: I am also

Re: [VOTE] Release Log4j 2.15.1-rc1

JNDI is commonly used to configure JMS and JDBC. Gary On Mon, Dec 13, 2021 at 4:12 AM Volkan Yazıcı wrote: > Thanks so much for your understanding Ralph, it is very important for me. > > For one, message lookups are nothing but a plethora of vulnerabilities. I > think everybody agrees on this.

Re: [VOTE] Release Log4j 2.15.1-rc1

I agree with both of your points Remko. On Mon, Dec 13, 2021 at 2:40 AM Remko Popma wrote: > I am also okay with removing Message Lookups from 2.x. > A release with that change should be called 2.16.0 though, not 2.15.1 or > 2.15.2. > > Also it makes sense to *only* have that security change (re

Re: [VOTE] Release Log4j 2.15.1-rc1

Thanks so much for your understanding Ralph, it is very important for me. For one, message lookups are nothing but a plethora of vulnerabilities. I think everybody agrees on this. We shouldn't try to make it secure, we _must_ ditch it off. Second, I think, again, we shouldn't even be trying to in

Re: [VOTE] Release Log4j 2.15.1-rc1

Done, except I made it an info message.I can change it to info if you really think it is appropriate. Ralph > On Dec 12, 2021, at 8:48 PM, Matt Sicker wrote: > > I’m canceling this vote and will start a new one for the updates in progress. > >> On Dec 12, 2021, at 21:41, Remko Popma wrote:

Re: [VOTE] Release Log4j 2.15.1-rc1

I’m canceling this vote and will start a new one for the updates in progress. > On Dec 12, 2021, at 21:41, Remko Popma wrote: > > Okay. Would it be a good idea to retain support for the %m{nolookups} > configuration format? > (Silently accept and ignore it.) Yes, I think it would be a good ide

Re: [VOTE] Release Log4j 2.15.1-rc1

Okay. Would it be a good idea to retain support for the %m{nolookups} configuration format? (Silently accept and ignore it.) When the configuration contains %m{lookups}, it may be good to print a WARN message to the status logger that this setting will be ignored. > On Dec 13, 2021, at 12:2

Re: [VOTE] Release Log4j 2.15.1-rc1

I have just put up a PR. Please review it. Either Matt or I can cut a 2.16.0. I don’t see the point of 2.15.1 if we are going to do this. Ralph > On Dec 12, 2021, at 7:49 PM, Gary Gregory wrote: > > I like RERO but 3 releases in a week is a lot even for me :-) > > Gary > > On Sun, Dec 12, 20

Re: [VOTE] Release Log4j 2.15.1-rc1

I like RERO but 3 releases in a week is a lot even for me :-) Gary On Sun, Dec 12, 2021 at 9:41 PM Remko Popma wrote: > It seems that Ralph has already started to work on a PR to remove message > lookups altogether from 2.x. > > I have come around to Volkan’s point that we don’t want to ask use

Re: [VOTE] Release Log4j 2.15.1-rc1

It seems that Ralph has already started to work on a PR to remove message lookups altogether from 2.x. I have come around to Volkan’s point that we don’t want to ask users to upgrade Log4j every week. So it maybe better to cancel the 2.15.1 release and have a dedicated security release 2.16.

Re: [VOTE] Release Log4j 2.15.1-rc1

Should we proceed with 2.15.1 or cancel it and go to 2.16.0 straight away? Gary On Sun, Dec 12, 2021, 20:40 Remko Popma wrote: > I am also okay with removing Message Lookups from 2.x. > A release with that change should be called 2.16.0 though, not 2.15.1 or > 2.15.2. > > Also it makes sense to

Re: [VOTE] Release Log4j 2.15.1-rc1

I am also okay with removing Message Lookups from 2.x. A release with that change should be called 2.16.0 though, not 2.15.1 or 2.15.2. Also it makes sense to *only* have that security change (removing Message Lookups) in such a 2.16.0 release and not add other features. This will reduce the testi

Re: [VOTE] Release Log4j 2.15.1-rc1

Volkan, While ASF rules say a -1 vote is not a veto for all practical purposes the release manager is going to consider it a blocker. A release that removes JNDI will prevent people from inadvertently using the JNDI Lookup, JMS, or JndiContextSelector without understanding the security risk us

Re: [VOTE] Release Log4j 2.15.1-rc1

You don't need my vote. As far as I count, you already have more than 3. I can imagine Ralph and the rest have worked sleeplessly for days. Hence if they think disabling JNDI buys us a benefit, so be it. If not millions, tens of thousands of people tried to upgrade Log4j to 2.15.0 recently. A rel

Re: [VOTE] Release Log4j 2.15.1-rc1

On Mon, Dec 13, 2021 at 5:47 AM Remko Popma wrote: > First, is this really a blocker for 2.15.1? > I think it is prudent to do urgent releases soon. > This JNDI change (LOG4J2-3208 > ) feels urgent enough > to warrant another shortened vote windo

Re: [VOTE] Release Log4j 2.15.1-rc1

First, is this really a blocker for 2.15.1? I think it is prudent to do urgent releases soon. This JNDI change (LOG4J2-3208 ) feels urgent enough to warrant another shortened vote window. A larger change like removing message lookups should not be

Re: [VOTE] Release Log4j 2.15.1-rc1

Shall we discuss this first please? On Mon, Dec 13, 2021 at 5:10 AM Matt Sicker wrote: > If you can handle that change, I can roll a new release candidate. > > Matt Sicker > > > On Dec 12, 2021, at 14:07, Volkan Yazıcı wrote: > > > > I know. I want them to be removed, not disabled. > > > >> On

Re: [VOTE] Release Log4j 2.15.1-rc1

If you can handle that change, I can roll a new release candidate. Matt Sicker > On Dec 12, 2021, at 14:07, Volkan Yazıcı wrote: > > I know. I want them to be removed, not disabled. > >> On Sun, Dec 12, 2021 at 9:01 PM Matt Sicker wrote: >> >> Those were already disabled in 2.15.0. >> >> M

Re: [VOTE] Release Log4j 2.15.1-rc1

I know. I want them to be removed, not disabled. On Sun, Dec 12, 2021 at 9:01 PM Matt Sicker wrote: > Those were already disabled in 2.15.0. > > Matt Sicker > > > On Dec 12, 2021, at 13:41, Volkan Yazıcı wrote: > > > > I very well recognize your heroic effort on tackling this issue and I am >

Re: [VOTE] Release Log4j 2.15.1-rc1

Those were already disabled in 2.15.0. Matt Sicker > On Dec 12, 2021, at 13:41, Volkan Yazıcı wrote: > > I very well recognize your heroic effort on tackling this issue and I am > very thankful for that. > I vote -1, because I want message (not configuration!) lookups to be > removed. > > Mes

Re: [VOTE] Release Log4j 2.15.1-rc1

I very well recognize your heroic effort on tackling this issue and I am very thankful for that. I vote -1, because I want message (not configuration!) lookups to be removed. Message lookups create a vast attack surface. Anything they offer can simply be implemented by the user. On Sun, Dec 12, 2

Re: [VOTE] Release Log4j 2.15.1-rc1

This is what I see on the console and printing the exception from the debugger: 13:42:06,505 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback-test.xml] at [file:/C:/d3vsrc/git/apache/logging-log4j2-2.x/log4j-core/target/test-classes/logback-test.xml] 13:42:06,763 |

Re: [VOTE] Release Log4j 2.15.1-rc1

I’ve verified the 512 SHAs are ok and run the build ok. After getting Matt to update the KEYS file his signature now verifies properly. +1 Ralph > On Dec 12, 2021, at 10:26 AM, Ralph Goers wrote: > > I don’t. But of course I wrote that test. It verifies that if you add dns as > a supported

Re: [VOTE] Release Log4j 2.15.1-rc1

+1 mvn clean && mvn install rat passes $ mvn -v Apache Maven 3.6.3 Maven home: /usr/share/maven Java version: 1.8.0_282, vendor: Azul Systems, Inc., runtime: /home/ckozak/.tools/jdk/zulu8.52.0.23-ca-jdk8.0.282-linux_x64/jre Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version

Re: [VOTE] Release Log4j 2.15.1-rc1

+1 for Log4j 2.15.1-rc1, I accidently replied to the wrong thread earlier. mvn clean install -t toolchains-sample-win.xmlmvn apache-rat:checkmvn revapi:check -pl log4j-api Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)Maven home: C:\projects\apache-maven-3.8.4Java version: 1.8.0_1

Re: [VOTE] Release Log4j 2.15.1-rc1

I don’t. But of course I wrote that test. It verifies that if you add dns as a supported protocol that it can find apache.org. Running it under the debugger it returns a DnsContext for me, which JndiLookup converts to a String which frankly isn’t very useful. com.sun.jndi.dns.DnsContext@4bdcaf3

Re: [VOTE] Release Log4j 2.15.1-rc1

Also, on Windows 10 and Java 8: [ERROR] Failures: [ERROR] JndiRestrictedLookupTest.testDnsLookup:154 No DNS data returned [INFO] [ERROR] Tests run: 2244, Failures: 1, Errors: 0, Skipped: 11 [INFO] Does anyone else get that? Gary On Sun, Dec 12, 2021 at 9:07 AM Gary Gregory wrote: > +1 > >

Re: [VOTE] Release Log4j 2.15.1-rc1

+1 *- I cannot get revapi:check to work on the log4j-api module due to some weird maven dependency issue I cannot resolve, may someone confirm that this check passes?* - Apache RAT check OK - mvn clean package Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537) Maven home: /usr/local/C

Re: [VOTE] Release Log4j 2.15.1-rc1

+1 build succeeds, all tests pass Apache Maven 3.6.2 (40f52333136460af0dc0d7232c0dc0bcf0d9e117; 2019-08-28T00:06:16+09:00) Maven home: C:\apps\apache-maven-3.6.2\bin\.. Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: C:\apps\jdk1.8.0_202\jre Default locale: en_GB, platform encoding:

Re: [VOTE] Release Log4j 2.15.1-rc1

I'll review in the morning (EST). Gary On Sat, Dec 11, 2021, 23:02 Matt Sicker wrote: > If possible, let’s try to get this vote done over the next 24 hours. > > Matt Sicker > > > On Dec 11, 2021, at 21:48, Matt Sicker wrote: > > > > This is a vote to release Log4j 2.15.1, the next version of

Re: [VOTE] Release Log4j 2.15.1-rc1

Or less. While it is not an essential release I believe it will be appreciated. Ralph > On Dec 11, 2021, at 9:01 PM, Matt Sicker wrote: > > If possible, let’s try to get this vote done over the next 24 hours. > > Matt Sicker > >> On Dec 11, 2021, at 21:48, Matt Sicker wrote: >> >> This is

Re: [VOTE] Release Log4j 2.15.1-rc1

If possible, let’s try to get this vote done over the next 24 hours. Matt Sicker > On Dec 11, 2021, at 21:48, Matt Sicker wrote: > > This is a vote to release Log4j 2.15.1, the next version of the Log4j 2 > project. > > Please download, test, and cast your votes on the log4j developers list.

[VOTE] Release Log4j 2.15.1-rc1

This is a vote to release Log4j 2.15.1, the next version of the Log4j 2 project. Please download, test, and cast your votes on the log4j developers list. [] +1, release the artifacts [] -1, don't release because... The vote will remain open for 72 hours (or more if required). All votes are welco