suesunss commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990711764
I saw 2.15.0 was uploaded to the maven central:
https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-api/2.15.0/
Could anyone point out if thi
sunnypav edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990683057
I guess the RCE can be exploited by using a message which has a JNDI lookup
which, is not possible in log4j 1.x as it doesn't support lookups. And JMS
Appender can
sunnypav commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990683057
I guess the RCE can be exploited by using a message which has a JNDI lookup
which, is not possible in log4j 1.x as it doesn't support lookups. And JMS
Appender can be adde
francis created LOG4J2-3204:
---
Summary: SpringLookup not found while Interpolator initializing
Key: LOG4J2-3204
URL: https://issues.apache.org/jira/browse/LOG4J2-3204
Project: Log4j 2
Issue Type: Bu
Baoqi commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990674220
@remkop , thanks for your reply. Just want to make it more clear, because
many people reach this issue mainly for the "JNDI lookup" CVE, so, for log4j
1.x, although it conta
remkop commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990661374
> @remkop Which description is correct ?
@linux-ops You are asking me? Well, in my totally objective, completely
unbiased opinion, there is no doubt that my comment is
[
https://issues.apache.org/jira/browse/LOG4J2-3201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456907#comment-17456907
]
Jeremy Li commented on LOG4J2-3201:
---
Will there be incremental update packages for his
[
https://issues.apache.org/jira/browse/LOG4NET-680?focusedWorklogId=693733&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-693733
]
ASF GitHub Bot logged work on LOG4NET-680:
--
Author: ASF GitHub Bot
fluffynuts commented on pull request #78:
URL: https://github.com/apache/logging-log4net/pull/78#issuecomment-990650366
@zhiweiv I was spinning up a release not too long ago - there are some other
small fixes that I'd like to get out. I just got a little swamped with other
stuff in the mea
zuoshangs commented on pull request #537:
URL: https://github.com/apache/logging-log4j2/pull/537#issuecomment-990647528
Lambda is not necessary
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to th
zuoshangs commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-990646688
emm
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
jsoref opened a new pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613
https://issues.apache.org/jira/browse/LOG4J2-3203
This PR corrects misspellings identified by the [check-spelling
action](https://github.com/marketplace/actions/check-spelling).
The m
Josh Soref created LOG4J2-3203:
--
Summary: Spelling
Key: LOG4J2-3203
URL: https://issues.apache.org/jira/browse/LOG4J2-3203
Project: Log4j 2
Issue Type: Improvement
Reporter: Josh Sor
Glavo edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990620253
[Glavo/log4j-patch](https://github.com/Glavo/log4j-patch) has been published
to Maven Central. If anyone cannot update to 2.15, he/she only needs to add
log4j-patch as
Glavo edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990620253
[Glavo/log4j-patch](https://github.com/Glavo/log4j-patch) has been published
to Maven Central. If anyone cannot update to 2.15, he/she only needs to add
log4j-patch as
linux-ops edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990629440
> > Hi @rgoers, is log4j 1.x vulnerable?
>
> Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. ~I
also could not find any other reference
linux-ops edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990629440
> > Hi @rgoers, is log4j 1.x vulnerable?
>
> Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. ~I
also could not find any other reference
linux-ops edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990629440
> > Hi @rgoers, is log4j 1.x vulnerable?
>
> Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. ~I
also could not find any other reference
linux-ops commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990629440
> > Hi @rgoers, is log4j 1.x vulnerable?
>
> Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. ~I
also could not find any other reference to JNDI
Rajasekar P created LOG4NET-682:
---
Summary: Log4Net - Memory Leak - Post Upgrade to version 2.0.12.0
Key: LOG4NET-682
URL: https://issues.apache.org/jira/browse/LOG4NET-682
Project: Log4net
Issu
Glavo commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990620253
[Glavo/log4j-patch](https://github.com/Glavo/log4j-patch) has been published
to Maven Central. If anyone cannot update to 2.15, he/she only needs to add
log4j-patch as the fi
remkop commented on a change in pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#discussion_r766293495
##
File path: src/site/xdoc/manual/appenders.xml
##
@@ -1555,6 +1555,33 @@ public class ConnectionFactory {
Default
Desc
Glavo commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990539235
> Quick Question, there is a remote code execution vulnerability in
Minecraft. From what I can tell it is somehow related to this. Does anyone know
if this the cause?
MyUsernamee removed a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990536644
Quick Question, there is a remote code execution vulnerability in Minecraft.
From what I can tell it is somehow related to this. Does anyone know if this
the ca
[
https://issues.apache.org/jira/browse/LOG4NET-680?focusedWorklogId=693677&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-693677
]
ASF GitHub Bot logged work on LOG4NET-680:
--
Author: ASF GitHub Bot
zhiweiv edited a comment on pull request #78:
URL: https://github.com/apache/logging-log4net/pull/78#issuecomment-990534030
Any chance to merge this and release a new version asap? It is a big problem
for .net 6.0.
@fluffynuts
--
This is an automated message from the Apache Git Servic
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456855#comment-17456855
]
Truman Lackey edited comment on LOGCXX-537 at 12/10/21, 2:13 AM:
--
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456855#comment-17456855
]
Truman Lackey edited comment on LOGCXX-537 at 12/10/21, 2:12 AM:
--
MyUsernamee edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990536644
Quick Question, there is a remote code execution vulnerability in Minecraft.
From what I can tell it is somehow related to this. Does anyone know if this
the cau
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456855#comment-17456855
]
Truman Lackey edited comment on LOGCXX-537 at 12/10/21, 2:11 AM:
--
MyUsernamee commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990536644
Quick Question, there is a remote code execution vulnerability from what I
understand. From what I can tell it is somehow related to this. Does anyone
know if this the
Glavo commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990536602
I provide a patch library to solve this vulnerability (disable JNDI lookup):
[Glavo/log4j-patch](https://github.com/Glavo/log4j-patch)
It provides an empty `JndiLookup`
MyUsernamee edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990536644
Quick Question, there is a remote code execution vulnerability in minecraft
from what I understand. From what I can tell it is somehow related to this.
Does anyo
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456855#comment-17456855
]
Truman Lackey commented on LOGCXX-537:
--
I will need to generate test code and config
[
https://issues.apache.org/jira/browse/LOG4NET-680?focusedWorklogId=693674&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-693674
]
ASF GitHub Bot logged work on LOG4NET-680:
--
Author: ASF GitHub Bot
zhiweiv commented on pull request #78:
URL: https://github.com/apache/logging-log4net/pull/78#issuecomment-990534030
Any chance to merge this and release a new version asap?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and
JLLeitschuh commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990527697
Is this fix insufficient in the context of an SSRF vulnerability? IE. can an
attacker still make malicious requests that abuse this from localhost if
another local serv
Truman Lackey created LOGCXX-537:
Summary: double mutex lock
Key: LOGCXX-537
URL: https://issues.apache.org/jira/browse/LOGCXX-537
Project: Log4cxx
Issue Type: Bug
Components: Appen
remkop edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
> Hi @rgoers, is log4j 1.x vulnerable?
Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. ~~I
also could not find any other reference to JNDI
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990504842
As documented here:
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/JMSAppender.html
Gary
On Thu, Dec 9, 2021, 20:30 Gary Gregory ***
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990499954
We need to look at the log4j 1 JMS Appender which I thought had at least
programmatic support for JNDI.
Gary
On Thu, Dec 9, 2021, 20:26 Remko Popma ***@
remkop edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
> Hi @rgoers, is log4j 1.x vulnerable?
Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. I also
could not find any other reference to JNDI in
remkop commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
> Hi @rgoers, is log4j 1.x vulnerable?
Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. I also
could not find any other reference to JNDI in the [l
yuezk commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990484694
Hi @rgoers, is log4j 1.x vulnerable?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to
moonming commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990484436
@remkop thanks for your great work 👍
I come from the [Apache APISIX](https://github.com/apache/apisix) community,
and we can intercept this security vulnerability at the
remkop edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990474429
Update: the vote for log4j-2.15.0 passed and the release is in progress.
I can see the log4j web site reflecting the [log4j 2.15.0
release](https://logging.apac
remkop commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990474429
Update: the vote for log4j-2.15.0 passed and the release is in progress.
I can see the log4j web site reflecting the [log4j 2.15.0
release](https://logging.apache.org/
zhangyoufu edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990305306
You can't ask everybody to upgrade to 2.15 at once. And the
`formatMsgNoLookups` option is available to log4j ≥ 2.10 only.
Thanks to
[LOG4J2-703](https://g
zhangyoufu edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990305306
You can't ask everybody to upgrade to 2.15 at once. And the
`formatMsgNoLookups` option is available to log4j ≥ 2.10 only.
Thanks to
[LOG4J2-703](https://g
zhangyoufu edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990305306
You can't ask everybody to upgrade to 2.15 at once. The `formatMsgNoLookups`
option is available to log4j ≥ 2.10 only.
Thanks to
[LOG4J2-703](https://githu
zhangyoufu commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990305306
You can't ask everybody to upgrade to 2.15 at once. The `formatMsgNoLookups`
option is available to log4j ≥ 2.10 only.
Thanks to LOG4J2-703, I think it's quite saf
remkop commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990264908
> > > > > Is it a security vulnerability?
> > > >
> > > >
> > > > I think it is.
> > > > It is very surprising that this critical security issue does not
seem t
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990217634
Also, if this matters to you so much, why not show it with a donation to the
Apache Software Foundation https://www.apache.org/foundation/contributing.html
or this pro
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990213446
Your patience will soon be rewarded...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL
[
https://issues.apache.org/jira/browse/LOG4J2-3201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456699#comment-17456699
]
Sean Busbey commented on LOG4J2-3201:
-
the 2.15.0 release vote is ongoing. please se
[
https://issues.apache.org/jira/browse/LOG4J2-3202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carter Kozak resolved LOG4J2-3202.
--
Fix Version/s: 2.15.0
Resolution: Duplicate
This is resolved in the pending 2.15.0 rele
InkerBot created LOG4J2-3202:
Summary: Only allow lookups in message, not in parameters.
Key: LOG4J2-3202
URL: https://issues.apache.org/jira/browse/LOG4J2-3202
Project: Log4j 2
Issue Type: Impro
GalvinGao edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990106334
> > > > Is it a security vulnerability?
> > >
> > >
> > > I think it is.
> > > It is very surprising that this critical security issue does not seem
t
GalvinGao commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990106334
> > > > Is it a security vulnerability?
> > >
> > >
> > > I think it is.
> > > It is very surprising that this critical security issue does not seem
to have
Glavo edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990094911
> > > Is it a security vulnerability?
> >
> >
> > I think it is.
> > It is very surprising that this critical security issue does not seem to
have receive
Glavo edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990094911
> > > Is it a security vulnerability?
> >
> >
> > I think it is.
> > It is very surprising that this critical security issue does not seem to
have receive
Glavo commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990094911
> > > Is it a security vulnerability?
> >
> >
> > I think it is.
> > It is very surprising that this critical security issue does not seem to
have received due a
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990070794
> > Is it a security vulnerability?
>
> I think it is.
>
> It is very surprising that this critical security issue does not seem to
have received due atte
Tom Judge created LOG4NET-681:
-
Summary: RollingFileAppender thread safety issue
Key: LOG4NET-681
URL: https://issues.apache.org/jira/browse/LOG4NET-681
Project: Log4net
Issue Type: Bug
Glavo commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990065982
> Is it a security vulnerability?
I think it is.
It is very surprising that this critical security issue does not seem to
have received due attention. It was rep
BUILD SUCCESS
Build URL
https://ci-builds.apache.org/job/Logging/job/log4j/job/release-2.x/411/
Project:
release-2.x
Date of build:
Thu, 09 Dec 2021 16:00:50 +
Build duration:
1 hr 4 min and counting
JUnit Tests
Name: (root) Failed: 0 test(s), Pa
vy commented on pull request #612:
URL: https://github.com/apache/logging-log4j2/pull/612#issuecomment-989987143
Thanks! Merged into both `master` and `release-2.x`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
vy closed pull request #612:
URL: https://github.com/apache/logging-log4j2/pull/612
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-
qxo opened a new pull request #612:
URL: https://github.com/apache/logging-log4j2/pull/612

--
This is an automated message from the Apache Git Service.
To respond
wcc526 edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-989762094
Is it a security vulnerability?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above
wcc526 commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-989762094
Is it a security vulneribity?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to
BUILD UNSTABLE
Build URL
https://ci-builds.apache.org/job/Logging/job/log4j/job/release-2.x/410/
Project:
release-2.x
Date of build:
Thu, 09 Dec 2021 08:13:13 +
Build duration:
1 hr 38 min and counting
JUnit Tests
Name: (root) Failed: 0 test(s),
72 matches
Mail list logo