[
https://issues.apache.org/jira/browse/LOGCXX-322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457553#comment-17457553
]
Tobias Frost edited comment on LOGCXX-322 at 12/11/21, 7:36 AM:
---
[
https://issues.apache.org/jira/browse/LOGCXX-322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457553#comment-17457553
]
Tobias Frost commented on LOGCXX-322:
-
At version 12.1, I'm seeing crashes in the mul
[
https://issues.apache.org/jira/browse/LOG4J2-3204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457544#comment-17457544
]
francis commented on LOG4J2-3204:
-
[~vy] I started a PR [https://github.com/apache/logg
Francis-FY opened a new pull request #617:
URL: https://github.com/apache/logging-log4j2/pull/617
Correct SpringLookup package name in the constructor of Interpolator
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use th
Marcono1234 edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991396409
The latest Java versions are most likely still vulnerable to RCE. While they
prevent loading classes from remote sources by default (`trustURLCodebase`
property
Marcono1234 edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991396409
The latest Java versions are most likely still vulnerable to RCE. While they
prevent loading classes from remote sources by default (`trustURLCodebase`
property
Firminator commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991418303
> Also, if this matters to you so much, why not show it with a donation to
... or this project's main contributor https://github.com/sponsors/rgoers ?
Case of http
Marcono1234 commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991396409
The latest Java versions are most likely still vulnerable to RCE. While they
prevent loading classes from remote sources by default (`trustURLCodebase`
property mention
[
https://issues.apache.org/jira/browse/LOG4J2-3184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457488#comment-17457488
]
PJ Fanning commented on LOG4J2-3184:
[~vy] Biggest problem for scala 3 is writing so
remkop commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991387493
> When there are literally millions of log4j 1.x users out there, can you
stop toying around?
>
> There is no lookup expansion in log4j 1.x and it does not suffer from
pjfanning opened a new pull request #5:
URL: https://github.com/apache/logging-log4j-scala/pull/5
This is far from a full solution to having Scala 3 build working. It does
upgrade some tools and libs as a baby step.
Relates to https://issues.apache.org/jira/browse/LOG4J2-3184
--
T
remkop edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990758663
> @remkop , thanks for your reply. Just want to make it more clear, because
many people reach this issue mainly for the "JNDI lookup" CVE, so, for log4j
1.x, although
remkop edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
> Hi @rgoers, is log4j 1.x vulnerable?
Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. ~~I
also could not find any other reference to JNDI
remkop edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990661374
> @remkop Which description is correct ?
@linux-ops You are asking me? Well, in my totally objective, completely
unbiased opinion, there is no doubt that my com
ceki edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991380319
When there are literally millions of log4j 1.x users out there, can you stop
toying around?
There is no lookup expansion in log4j 1.x and it does not suffer from
ceki commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991380319
When there are literally millions of log4j 1.x users out there, can you stop
toying around?
There is no lookup expansion in log4j 1.x and it does not suffer from
CVE-
[
https://issues.apache.org/jira/browse/LOG4J2-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457480#comment-17457480
]
PJ Fanning commented on LOG4J2-3206:
[~zhengqin] you can download v2.15.0 at
https:
mdpollard commented on a change in pull request #607:
URL: https://github.com/apache/logging-log4j2/pull/607#discussion_r767031109
##
File path: src/site/xdoc/manual/layouts.xml.vm
##
@@ -1455,9 +1455,9 @@ WARN [main]: Message 2
ahahu commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991354707
I'd also like to stress, that it is not sufficient to mitigate this
vulnerability by using a JRE/JDK version which prevents the RCE, nor should you
rely solely on your firewa
jvz commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991352666
Take the example as warning not to try re-enabling the disabled feature!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on
bowb opened a new pull request #78:
URL: https://github.com/apache/logging-log4cxx/pull/78
Issue
[https://issues.apache.org/jira/projects/LOGCXX/issues/LOGCXX-537](https://issues.apache.org/jira/projects/LOGCXX/issues/LOGCXX-537)
--
This is an automated message from the Apache Git Servic
[
https://issues.apache.org/jira/browse/LOGCXX-537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457393#comment-17457393
]
Truman Lackey commented on LOGCXX-537:
--
I have create a github repo that with instru
philipwhiuk edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991305906
>
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/JMSAppender.html
This presumably requires configuring the appending though, so a simple
philipwhiuk edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991305906
>
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/JMSAppender.html
This presumably requires configuring the appending though, so a simple
vy commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991306027
> I think [this fix may have been
bypassed](https://twitter.com/stereotype32/status/1469313856229228544?s=20) and
that the latest release is still vulnerable... Haven't verified
philipwhiuk commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991305906
>
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/JMSAppender.html
This presumably requires configuring the appending though, so a simple
FileA
lawndoc edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991297822
I think [this fix may have been
bypassed](https://twitter.com/stereotype32/status/1469313856229228544?s=20) and
that the latest release is still vulnerable... Haven'
lawndoc edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991297822
I think this [fix may have been
bypassed](https://twitter.com/stereotype32/status/1469313856229228544?s=20) and
that the latest release is still vulnerable... Haven'
lawndoc commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991297822
I think this [fix has been
bypassed](https://twitter.com/stereotype32/status/1469313856229228544?s=20) and
that the latest release is still vulnerable... Haven't verified t
mosajjal commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991249117
Ah cool thanks for confirming. The tag in Github repo doesn't show that
--
This is an automated message from the Apache Git Service.
To respond to the message, please log
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991248202
2.15.0 is already released.
On Fri, Dec 10, 2021, 14:43 Ali Mosajjal ***@***.***> wrote:
> Hi Team,
>
> I know a lot of local Maven package managers
jvz commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991247673
RC2 was promoted to 2.15.0 last night. It should already be mirrored to
Maven Central.
--
This is an automated message from the Apache Git Service.
To respond to the message,
mosajjal commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991246265
Hi Team,
I know a lot of local Maven package managers don't pull the RC version of a
release automatically (Nexus etc), is there a chance we can push RC2 to a
stabl
vy commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991241208
**For those who are looking for a JRE/JDK version to mitigate the problem**,
please don't! CVE-2021-44228 creates a large attack surface depending on the
imagination of the atta
[
https://issues.apache.org/jira/browse/LOG4J2-2721?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rémi C. updated LOG4J2-2721:
Fix Version/s: 3.0.0
> Thread crash when parameter is a null value for StringMapMessage
>
[
https://issues.apache.org/jira/browse/LOG4J2-3198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457333#comment-17457333
]
Volkan Yazici commented on LOG4J2-3198:
---
[~eever...@usgs.gov], yes, unfortunately
jvz commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991233294
`JndiManager` is used by the other JNDI integration points. `JndiLookup` is
what's exploitable in a log message, though if you're using JNDI in your
configuration, a man in the
albertinix edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991225381
(re: the fix for versions <= 2.14.1)
Does anyone know if removing the `JndiLookup` class is enough?
On the [Apache Log4j2 page](https://logging.apache
albertinix commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991225381
Does anyone know if removing the `JndiLookup` class is enough?
On the [Apache Log4j2 page](https://logging.apache.org/log4j/2.x/) it's
stated to:
>Remove th
pjfanning commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-991224174
One typo that I noticed earlier was 'primative' appearing in a few places in
one of the PRs related to the recent CVE issue.
(https://github.com/apache/logging-log4j2/pu
TiloGit commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991215492
> > Can't find much info about it.
>
> grep-ing through the source code for jdk-11.0.1 we get
`src/java.naming/com/sun/jndi/ldap/VersionHelper.java: PrivilegedAction
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991210213
> > @garydgregory is there a safe Java 11 version?
>
> Check the release notes for 11.0.1.
https://www.oracle.com/java/technologies/javase/11-0-1-relnotes.
[
https://issues.apache.org/jira/browse/LOG4J2-3198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457298#comment-17457298
]
Eric Everman edited comment on LOG4J2-3198 at 12/10/21, 6:00 PM:
-
fxshlein commented on pull request #614:
URL: https://github.com/apache/logging-log4j2/pull/614#issuecomment-991177316
I was going off this:
https://logging.apache.org/log4j/2.x/manual/configuration.html
Although its completely removed there now. This morning it was still there 😉
[
https://issues.apache.org/jira/browse/LOG4J2-3198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457298#comment-17457298
]
Eric Everman commented on LOG4J2-3198:
--
Is there any possible configuration where t
jvz commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-991165648
I'll review this in more detail later.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to
jvz merged pull request #616:
URL: https://github.com/apache/logging-log4j2/pull/616
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications
cheese1 opened a new pull request #616:
URL: https://github.com/apache/logging-log4j2/pull/616
the wepage should get updated, too. it seems that there is at least one typo
already fixed but not deployed:
https://logging.apache.org/log4j/2.x/manual/configuration.html#Architecture
Archh
diegomrsantos removed a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991148664
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific co
diegomrsantos commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991148664
@peturthors I don't have much knowledge about this issue, so instead of
guessing and grep-ing the source code, I was searching for official release
notes.
--
This
peturthors edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991139464
> Can't find much info about it.
grep-ing through the source code for jdk-11.0.1 we get
`src/java.naming/com/sun/jndi/ldap/VersionHelper.java:
P
peturthors commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991139464
> Can't find much info about it.
grep-ing through the source code for jdk-11.0.1 we get
`src/java.naming/com/sun/jndi/ldap/VersionHelper.java:
Privileg
jsoref commented on a change in pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#discussion_r766802175
##
File path:
log4j-core/src/test/java/org/apache/logging/log4j/core/time/internal/format/FastDateParserTest.java
##
@@ -1,7 +1,7 @@
/*
* Licensed
vy commented on pull request #614:
URL: https://github.com/apache/logging-log4j2/pull/614#issuecomment-991107866
Thanks so much for the heads up @fxshlein! Please note that this correction
is against `master`, which is not released yet. All Log4j 2 releases & websites
are derived from `rel
jvz commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-991107486
Josh, long time no see! It'd be awesome if you could either break up changes
or leave PR comments on relevant areas to help with review.
--
This is an automated message from
vy merged pull request #614:
URL: https://github.com/apache/logging-log4j2/pull/614
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-
jsoref commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-991078971
I'm not currently a log4j2 user.
We happen to be using log4j, so, in theory, I have some potential interest
in this project as opposed to just offering a general contr
[
https://issues.apache.org/jira/browse/LOG4J2-3203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457217#comment-17457217
]
Volkan Yazici commented on LOG4J2-3203:
---
I am closing the issue due to the reasons
[
https://issues.apache.org/jira/browse/LOG4J2-3203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici closed LOG4J2-3203.
-
Resolution: Won't Fix
> Spelling
>
>
> Key: LOG4J2-3203
>
[
https://issues.apache.org/jira/browse/LOG4J2-3204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457215#comment-17457215
]
Volkan Yazici commented on LOG4J2-3204:
---
[~Francis_FY], mind submitting a fix for
vy closed pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-
vy commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-991069390
@jsoref, even though we appreciate your contribution for code clean-ups, it
is quite time consuming for us to review every single line, in particular,
given your changes span ac
diegomrsantos commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991063956
Can't find much info about it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above
vy merged pull request #615:
URL: https://github.com/apache/logging-log4j2/pull/615
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-
[
https://issues.apache.org/jira/browse/LOG4J2-905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457201#comment-17457201
]
Carter Kozak commented on LOG4J2-905:
-
The global switch was added in 2017 via
https
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991050192
> @garydgregory is there a safe Java 11 version?
Check the release notes for 11.0.1.
--
This is an automated message from the Apache Git Service.
To respond to
[
https://issues.apache.org/jira/browse/LOG4J2-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457198#comment-17457198
]
Volkan Yazici commented on LOG4J2-3206:
---
[~zhengqin], mind updating the ticket tit
diegomrsantos commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991046595
@garydgregory is there a safe Java 11 version?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and us
[
https://issues.apache.org/jira/browse/LOG4J2-905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457193#comment-17457193
]
moritz löser commented on LOG4J2-905:
-
and now we hit:[https://www.lunasec.io/docs/bl
iidx opened a new pull request #615:
URL: https://github.com/apache/logging-log4j2/pull/615
Noticed a spelling mistake in lookups.adoc.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specif
[
https://issues.apache.org/jira/browse/LOG4J2-3205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457152#comment-17457152
]
dingjsh commented on LOG4J2-3205:
-
Thank you for your reply. But is it my method would b
[
https://issues.apache.org/jira/browse/LOG4J2-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zheng qin updated LOG4J2-3206:
--
Description: 官网已发布Log4j2远程代码执行紧急漏洞修复版本2.15.0,但github尚未同步,希望尽快同步到github
(was: 官网已发布Log4j2远程代码执行紧急漏洞修复版
zheng qin created LOG4J2-3206:
-
Summary: 官网已发布Log4j2远程代码执行紧急漏洞修复版本2.15.0,但github尚未同步
Key: LOG4J2-3206
URL: https://issues.apache.org/jira/browse/LOG4J2-3206
Project: Log4j 2
Issue Type: Wish
[
https://issues.apache.org/jira/browse/LOG4J2-3205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457136#comment-17457136
]
Gary D. Gregory commented on LOG4J2-3205:
-
You MUST use Java 8 to target Java 8
fxshlein opened a new pull request #614:
URL: https://github.com/apache/logging-log4j2/pull/614
The documentation currently says `FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS`
is the correct environment variable to disable the message pattern lookups,
however after testing, it seems that `LOG4J
dingjsh created LOG4J2-3205:
---
Summary: OutputStreamManager.flushBuffer throw NoSuchMethodError
ByteBuffer.clear
Key: LOG4J2-3205
URL: https://issues.apache.org/jira/browse/LOG4J2-3205
Project: Log4j 2
Baoqi removed a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990861408
> @Baoqi so this CVE impact log4j v 1.xx only if app is using JMSAddapter in
log4j configuration(log4j.properties) or not?
@sysmat I don't have answer for thi
zutnop edited a comment on pull request #308:
URL: https://github.com/apache/logging-log4j2/pull/308#issuecomment-990897937
It's a loss, that this wasn't merged into the project. I have been using it
(for solving the related issue with dynamic subjects) for over 4 years in
production with
zutnop commented on pull request #308:
URL: https://github.com/apache/logging-log4j2/pull/308#issuecomment-990897937
It's a loss, that this wasn't merged into the project. I have been using it
(for solving the related issue with dynamic subjects) for over 4 years in
production with multipl
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990885523
Yes, Java 8u121 (see
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)
protects against remote code execution by defaulting
"com.sun.jndi.rmi
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990881498
> > Hi there. Would setting the JVM property
`com.sun.jndi.ldap.object.trustURLCodebase = false` mitigate this ? Thanks.
>
> It is false by default.
>
> J
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990880189
> Hi there. Would setting the JVM property
`com.sun.jndi.ldap.object.trustURLCodebase = false` mitigate this ? Thanks.
It is false by default.
Java 8u121
peturthors commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990879257
Hi there.
Would setting the JVM property `com.sun.jndi.ldap.object.trustURLCodebase =
false` mitigate this ?
Thanks.
--
This is an automated message from the Apa
ryancastle commented on a change in pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#discussion_r766585720
##
File path:
log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
##
@@ -100,8 +109,21 @@ public JmsAppender bui
Rongmario commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990864435
https://github.com/LoliKingdom/NukeJndiLookupFromLog4j is nearly live on
CurseForge (modding platform for Minecraft), it'll target any clients/servers
running with Minecr
Baoqi commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990861408
> @Baoqi so this CVE impact log4j v 1.xx only if app is using JMSAddapter in
log4j configuration(log4j.properties) or not?
@sysmat I don't have answer for this, as I'
sysmat edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990814971
@Baoqi so this CVE impact log4j v 1.xx only if app is using JMSAddapter in
log4j configuration(log4j.properties) or not?
--
This is an automated message from the A
sysmat commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990814971
@Baoqi so this CVE impact log4j v 1.xx only if app is using JMSAddapter or
not?
--
This is an automated message from the Apache Git Service.
To respond to the message, ple
iamamoose commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990788953
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://logging.apache.org/log4j/2.x/security.html
--
This is an automated message from the Apache Git Service.
To res
mageshwarang edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990765517
@remkop Thanks for clarifying on the log4j 1.x. One of my old application
is still using `log4j-1.2.17` and few of my applications are using
`log4j-over-slf4j`
mageshwarang commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990765517
@remkop Thanks for clarifying on the log4j 1.x. One of my old application
is still using `log4j-1.2.17` and few of my applications are using
`log4j-over-slf4j`. But
utam0k edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990716441
@remkop Hi! Thanks for your work and the community correspondence.
Do you have any plans to backport the correspondence to this vulnerability
to older versions of t
remkop commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990758663
> @remkop , thanks for your reply. Just want to make it more clear, because
many people reach this issue mainly for the "JNDI lookup" CVE, so, for log4j
1.x, although it con
remkop commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990753698
> I saw 2.15.0 was uploaded to the maven central:
>
>
https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-api/2.15.0/
>
> Could anyone point out
[
https://issues.apache.org/jira/browse/LOG4J2-3201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456962#comment-17456962
]
Volkan Yazici commented on LOG4J2-3201:
---
[~pingqicao], if you only depend on {{log
[
https://issues.apache.org/jira/browse/LOG4J2-3201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456958#comment-17456958
]
pingqicao commented on LOG4J2-3201:
---
my project do not depends on log4j-core, but depe
iweiss commented on a change in pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#discussion_r766474285
##
File path: src/site/xdoc/manual/appenders.xml
##
@@ -1555,6 +1555,33 @@ public class ConnectionFactory {
Default
Desc
[
https://issues.apache.org/jira/browse/LOG4J2-3201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456954#comment-17456954
]
Volkan Yazici commented on LOG4J2-3201:
---
[~e1knot], for the records, you can _"fix
vy closed pull request #539:
URL: https://github.com/apache/logging-log4j2/pull/539
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-
vy commented on pull request #539:
URL: https://github.com/apache/logging-log4j2/pull/539#issuecomment-990728839
We have shared with @arturobernalg in the dev mailing list that we are
understaffed to deal with the cosmetic changes he has proposed so far, hence
closing the ticket.
--
Thi
1 - 100 of 123 matches
Mail list logo
