Re: Log4j < 2.15.0 may still be vulnerable even if -Dlog4j2.formatMsgNoLookups=true is set

2021-12-21 Thread Gus Heck
For what it's worth, I'm seeing IT depts not wanting to track exceptions to the rule (such as solr) and requiring the library upgrades period. On Tue, Dec 21, 2021 at 1:48 PM David Smiley wrote: > (switching to dev@solr.apache.org; the O.P. unfortunatelysent this to > Lucene) > > BTW I'm having

Re: Solr 9.0.0 release in February

2021-12-21 Thread David Smiley
Thanks for volunteering to be the RM! No comment on the timeline; I'm in denial of the time flying. Log4shell and all that. Let's go to Lucene 9.1 and not 9.0. I'm seeing a massive change to lucene-test-framework in 9.1 on it's way that IMO ought to have been done in 9.0. Going right to 9.1 av

Re: Log4j < 2.15.0 may still be vulnerable even if -Dlog4j2.formatMsgNoLookups=true is set

2021-12-21 Thread David Smiley
(switching to dev@solr.apache.org; the O.P. unfortunatelysent this to Lucene) BTW I'm having a good conversation[1] with Ralph Goers on the Log4j2 PMC about the efficacy of log4j2.formatMsgNoLookups. So far I've learned nothing that concerns me and I feel better in fact about other apps using thi

Solr 9.0.0 release in February

2021-12-21 Thread Jan Høydahl
Hi, Solr's next feature release will be 9.0 (as 8x is in bugfix mode). Let's not even think about hacking an 8.12 release based on lucene-solr 8x branch. It will be ugly. The "Solr 9.0 release blockers" thread was started exact