sysmat commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990814971
@Baoqi so this CVE impact log4j v 1.xx only if app is using JMSAddapter or
not?
--
This is an automated message from the Apache Git Service.
To respond to the message, ple
sysmat edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990814971
@Baoqi so this CVE impact log4j v 1.xx only if app is using JMSAddapter in
log4j configuration(log4j.properties) or not?
--
This is an automated message from the A
Baoqi commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990861408
> @Baoqi so this CVE impact log4j v 1.xx only if app is using JMSAddapter in
log4j configuration(log4j.properties) or not?
@sysmat I don't have answer for this, as I'
Rongmario commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990864435
https://github.com/LoliKingdom/NukeJndiLookupFromLog4j is nearly live on
CurseForge (modding platform for Minecraft), it'll target any clients/servers
running with Minecr
ryancastle commented on a change in pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#discussion_r766585720
##
File path:
log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsAppender.java
##
@@ -100,8 +109,21 @@ public JmsAppender bui
peturthors commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990879257
Hi there.
Would setting the JVM property `com.sun.jndi.ldap.object.trustURLCodebase =
false` mitigate this ?
Thanks.
--
This is an automated message from the Apa
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990880189
> Hi there. Would setting the JVM property
`com.sun.jndi.ldap.object.trustURLCodebase = false` mitigate this ? Thanks.
It is false by default.
Java 8u121
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990881498
> > Hi there. Would setting the JVM property
`com.sun.jndi.ldap.object.trustURLCodebase = false` mitigate this ? Thanks.
>
> It is false by default.
>
> J
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990885523
Yes, Java 8u121 (see
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)
protects against remote code execution by defaulting
"com.sun.jndi.rmi
zutnop commented on pull request #308:
URL: https://github.com/apache/logging-log4j2/pull/308#issuecomment-990897937
It's a loss, that this wasn't merged into the project. I have been using it
(for solving the related issue with dynamic subjects) for over 4 years in
production with multipl
zutnop edited a comment on pull request #308:
URL: https://github.com/apache/logging-log4j2/pull/308#issuecomment-990897937
It's a loss, that this wasn't merged into the project. I have been using it
(for solving the related issue with dynamic subjects) for over 4 years in
production with
Baoqi removed a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990861408
> @Baoqi so this CVE impact log4j v 1.xx only if app is using JMSAddapter in
log4j configuration(log4j.properties) or not?
@sysmat I don't have answer for thi
fxshlein opened a new pull request #614:
URL: https://github.com/apache/logging-log4j2/pull/614
The documentation currently says `FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS`
is the correct environment variable to disable the message pattern lookups,
however after testing, it seems that `LOG4J
iidx opened a new pull request #615:
URL: https://github.com/apache/logging-log4j2/pull/615
Noticed a spelling mistake in lookups.adoc.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specif
diegomrsantos commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991046595
@garydgregory is there a safe Java 11 version?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and us
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991050192
> @garydgregory is there a safe Java 11 version?
Check the release notes for 11.0.1.
--
This is an automated message from the Apache Git Service.
To respond to
vy merged pull request #615:
URL: https://github.com/apache/logging-log4j2/pull/615
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-
diegomrsantos commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991063956
Can't find much info about it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above
vy commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-991069390
@jsoref, even though we appreciate your contribution for code clean-ups, it
is quite time consuming for us to review every single line, in particular,
given your changes span ac
vy closed pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-
jsoref commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-991078971
I'm not currently a log4j2 user.
We happen to be using log4j, so, in theory, I have some potential interest
in this project as opposed to just offering a general contr
vy merged pull request #614:
URL: https://github.com/apache/logging-log4j2/pull/614
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-
jvz commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-991107486
Josh, long time no see! It'd be awesome if you could either break up changes
or leave PR comments on relevant areas to help with review.
--
This is an automated message from
vy commented on pull request #614:
URL: https://github.com/apache/logging-log4j2/pull/614#issuecomment-991107866
Thanks so much for the heads up @fxshlein! Please note that this correction
is against `master`, which is not released yet. All Log4j 2 releases & websites
are derived from `rel
jsoref commented on a change in pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#discussion_r766802175
##
File path:
log4j-core/src/test/java/org/apache/logging/log4j/core/time/internal/format/FastDateParserTest.java
##
@@ -1,7 +1,7 @@
/*
* Licensed
peturthors commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991139464
> Can't find much info about it.
grep-ing through the source code for jdk-11.0.1 we get
`src/java.naming/com/sun/jndi/ldap/VersionHelper.java:
Privileg
peturthors edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991139464
> Can't find much info about it.
grep-ing through the source code for jdk-11.0.1 we get
`src/java.naming/com/sun/jndi/ldap/VersionHelper.java:
P
diegomrsantos commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991148664
@peturthors I don't have much knowledge about this issue, so instead of
guessing and grep-ing the source code, I was searching for official release
notes.
--
This
diegomrsantos removed a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991148664
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific co
cheese1 opened a new pull request #616:
URL: https://github.com/apache/logging-log4j2/pull/616
the wepage should get updated, too. it seems that there is at least one typo
already fixed but not deployed:
https://logging.apache.org/log4j/2.x/manual/configuration.html#Architecture
Archh
jvz merged pull request #616:
URL: https://github.com/apache/logging-log4j2/pull/616
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications
jvz commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-991165648
I'll review this in more detail later.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to
fxshlein commented on pull request #614:
URL: https://github.com/apache/logging-log4j2/pull/614#issuecomment-991177316
I was going off this:
https://logging.apache.org/log4j/2.x/manual/configuration.html
Although its completely removed there now. This morning it was still there 😉
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991210213
> > @garydgregory is there a safe Java 11 version?
>
> Check the release notes for 11.0.1.
https://www.oracle.com/java/technologies/javase/11-0-1-relnotes.
TiloGit commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991215492
> > Can't find much info about it.
>
> grep-ing through the source code for jdk-11.0.1 we get
`src/java.naming/com/sun/jndi/ldap/VersionHelper.java: PrivilegedAction
pjfanning commented on pull request #613:
URL: https://github.com/apache/logging-log4j2/pull/613#issuecomment-991224174
One typo that I noticed earlier was 'primative' appearing in a few places in
one of the PRs related to the recent CVE issue.
(https://github.com/apache/logging-log4j2/pu
albertinix commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991225381
Does anyone know if removing the `JndiLookup` class is enough?
On the [Apache Log4j2 page](https://logging.apache.org/log4j/2.x/) it's
stated to:
>Remove th
albertinix edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991225381
(re: the fix for versions <= 2.14.1)
Does anyone know if removing the `JndiLookup` class is enough?
On the [Apache Log4j2 page](https://logging.apache
jvz commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991233294
`JndiManager` is used by the other JNDI integration points. `JndiLookup` is
what's exploitable in a log message, though if you're using JNDI in your
configuration, a man in the
vy commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991241208
**For those who are looking for a JRE/JDK version to mitigate the problem**,
please don't! CVE-2021-44228 creates a large attack surface depending on the
imagination of the atta
mosajjal commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991246265
Hi Team,
I know a lot of local Maven package managers don't pull the RC version of a
release automatically (Nexus etc), is there a chance we can push RC2 to a
stabl
jvz commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991247673
RC2 was promoted to 2.15.0 last night. It should already be mirrored to
Maven Central.
--
This is an automated message from the Apache Git Service.
To respond to the message,
garydgregory commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991248202
2.15.0 is already released.
On Fri, Dec 10, 2021, 14:43 Ali Mosajjal ***@***.***> wrote:
> Hi Team,
>
> I know a lot of local Maven package managers
mosajjal commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991249117
Ah cool thanks for confirming. The tag in Github repo doesn't show that
--
This is an automated message from the Apache Git Service.
To respond to the message, please log
lawndoc commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991297822
I think this [fix has been
bypassed](https://twitter.com/stereotype32/status/1469313856229228544?s=20) and
that the latest release is still vulnerable... Haven't verified t
lawndoc edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991297822
I think this [fix may have been
bypassed](https://twitter.com/stereotype32/status/1469313856229228544?s=20) and
that the latest release is still vulnerable... Haven'
lawndoc edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991297822
I think [this fix may have been
bypassed](https://twitter.com/stereotype32/status/1469313856229228544?s=20) and
that the latest release is still vulnerable... Haven'
philipwhiuk commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991305906
>
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/JMSAppender.html
This presumably requires configuring the appending though, so a simple
FileA
vy commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991306027
> I think [this fix may have been
bypassed](https://twitter.com/stereotype32/status/1469313856229228544?s=20) and
that the latest release is still vulnerable... Haven't verified
philipwhiuk edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991305906
>
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/JMSAppender.html
This presumably requires configuring the appending though, so a simple
philipwhiuk edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991305906
>
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/JMSAppender.html
This presumably requires configuring the appending though, so a simple
bowb opened a new pull request #78:
URL: https://github.com/apache/logging-log4cxx/pull/78
Issue
[https://issues.apache.org/jira/projects/LOGCXX/issues/LOGCXX-537](https://issues.apache.org/jira/projects/LOGCXX/issues/LOGCXX-537)
--
This is an automated message from the Apache Git Servic
jvz commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991352666
Take the example as warning not to try re-enabling the disabled feature!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on
ahahu commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991354707
I'd also like to stress, that it is not sufficient to mitigate this
vulnerability by using a JRE/JDK version which prevents the RCE, nor should you
rely solely on your firewa
mdpollard commented on a change in pull request #607:
URL: https://github.com/apache/logging-log4j2/pull/607#discussion_r767031109
##
File path: src/site/xdoc/manual/layouts.xml.vm
##
@@ -1455,9 +1455,9 @@ WARN [main]: Message 2
ceki commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991380319
When there are literally millions of log4j 1.x users out there, can you stop
toying around?
There is no lookup expansion in log4j 1.x and it does not suffer from
CVE-
ceki edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991380319
When there are literally millions of log4j 1.x users out there, can you stop
toying around?
There is no lookup expansion in log4j 1.x and it does not suffer from
remkop edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990661374
> @remkop Which description is correct ?
@linux-ops You are asking me? Well, in my totally objective, completely
unbiased opinion, there is no doubt that my com
remkop edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
> Hi @rgoers, is log4j 1.x vulnerable?
Hi @yuezk, as far as I can tell, log4j 1.x does not support lookups. ~~I
also could not find any other reference to JNDI
remkop edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990758663
> @remkop , thanks for your reply. Just want to make it more clear, because
many people reach this issue mainly for the "JNDI lookup" CVE, so, for log4j
1.x, although
pjfanning opened a new pull request #5:
URL: https://github.com/apache/logging-log4j-scala/pull/5
This is far from a full solution to having Scala 3 build working. It does
upgrade some tools and libs as a baby step.
Relates to https://issues.apache.org/jira/browse/LOG4J2-3184
--
T
remkop commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991387493
> When there are literally millions of log4j 1.x users out there, can you
stop toying around?
>
> There is no lookup expansion in log4j 1.x and it does not suffer from
Marcono1234 commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991396409
The latest Java versions are most likely still vulnerable to RCE. While they
prevent loading classes from remote sources by default (`trustURLCodebase`
property mention
Firminator commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991418303
> Also, if this matters to you so much, why not show it with a donation to
... or this project's main contributor https://github.com/sponsors/rgoers ?
Case of http
Marcono1234 edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991396409
The latest Java versions are most likely still vulnerable to RCE. While they
prevent loading classes from remote sources by default (`trustURLCodebase`
property
Marcono1234 edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991396409
The latest Java versions are most likely still vulnerable to RCE. While they
prevent loading classes from remote sources by default (`trustURLCodebase`
property
Francis-FY opened a new pull request #617:
URL: https://github.com/apache/logging-log4j2/pull/617
Correct SpringLookup package name in the constructor of Interpolator
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use th
coldtobi opened a new pull request #79:
URL: https://github.com/apache/logging-log4cxx/pull/79
As many of the individual testsuite uses the same output file for the
artifacts
of the test suites, the tests are racy if executed in parallel, eg. by ctest
-jxx. This patch fixes it by ass
coldtobi closed pull request #79:
URL: https://github.com/apache/logging-log4cxx/pull/79
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notificat
coldtobi commented on pull request #79:
URL: https://github.com/apache/logging-log4cxx/pull/79#issuecomment-991619447
I need to investigate why the test suite failed. Will reopen PR once ready.
--
This is an automated message from the Apache Git Service.
To respond to the message, ple
coldtobi opened a new pull request #80:
URL: https://github.com/apache/logging-log4cxx/pull/80
Upstream cmake downloads the resource. This patch first tries to
find a system-installed version before falling back to the download.
Exchanging the md5 with a more secure sha256 checksum
coldtobi commented on pull request #79:
URL: https://github.com/apache/logging-log4cxx/pull/79#issuecomment-991623675
(Closing nuked the ci logs Reopening to get them again)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to G
coldtobi opened a new pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81
By default (at least on Linux) git does convert CRLF automatically, also in
the
above mentioned file. However, that CRLF is a feature in that file
Jira: LOGCXX-540
--
This is an a
ams-tschoening commented on pull request #79:
URL: https://github.com/apache/logging-log4cxx/pull/79#issuecomment-991649922
Looks like you have simply missed to change
`src/test/resources/input/patternLayout13.properties`? I find all the other
files changed, but not this one.
--
This is
ams-tschoening commented on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991653650
Seems that some editors like my Sublime Text 3 don't even show something
like mixed line endings, but it claims the file to be `Unix` only. The line of
interest is th
rm5248 commented on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991664058
I was actually just about to go and fix this by creating a new file that was
in Windows(CRLF) line endings, since that particular property is only used in
[one
test.](https:
ams-tschoening commented on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991674503
If it doesn't break anything else, agreed, your approach would be better.
Especially if that use-case is already covered in `.gitattributes`.
--
This is an automate
rm5248 merged pull request #80:
URL: https://github.com/apache/logging-log4cxx/pull/80
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notificatio
rm5248 merged pull request #77:
URL: https://github.com/apache/logging-log4cxx/pull/77
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notificatio
coldtobi closed pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notificat
coldtobi commented on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991684540
I'm not sure about what changes requested:
- The suggestion from @ams-tschoening for formatting the gitattributes file
- rm5248's comment
I thought that the pur
coldtobi edited a comment on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991684540
I'm not sure about what changes requested:
- The suggestion from @ams-tschoening for formatting the gitattributes file
- rm5248's comment
I thought that
coldtobi edited a comment on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991684540
I'm not sure about what changes requested:
- The suggestion from @ams-tschoening for formatting the gitattributes file
- rm5248's comment
I thought that
coldtobi edited a comment on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991684540
I'm not sure about what changes requested:
- The suggestion from @ams-tschoening for formatting the gitattributes file
- rm5248's comment ?
I thought tha
coldtobi edited a comment on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991684540
I'm not sure about what changes requested:
- The suggestion from @ams-tschoening for formatting the gitattributes file
- rm5248's comment ?
I thought tha
coldtobi commented on pull request #79:
URL: https://github.com/apache/logging-log4cxx/pull/79#issuecomment-991687037
> Looks like you have simply missed to change
`src/test/resources/input/patternLayout13.properties`? I find all the other
files changed, but not this one.
Good catch
coldtobi edited a comment on pull request #79:
URL: https://github.com/apache/logging-log4cxx/pull/79#issuecomment-991687037
> Looks like you have simply missed to change
`src/test/resources/input/patternLayout13.properties`? I find all the other
files changed, but not this one.
Goo
coldtobi commented on pull request #79:
URL: https://github.com/apache/logging-log4cxx/pull/79#issuecomment-991689898
The failing testcase on ubuntu-18.04-g++-build-and-test is likely LOGCXX-322
`2021-12-11T15:44:14.6741094Z 20 - multithreadtest (SEGFAULT)`
(I've commented
rm5248 merged pull request #76:
URL: https://github.com/apache/logging-log4cxx/pull/76
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notificatio
rm5248 commented on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991703645
> I thought that the purpose of the testcase is to test both possiblities of
line continuations (on Win and *nix), as the properties are named accordingly
(the extra crlf in
ams-tschoening commented on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991705032
> I thought that the purpose of the testcase is to test both possiblities of
line continuations (on Win and *nix), as the properties
> are named accordingly (the ex
ams-tschoening removed a comment on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991705032
> I thought that the purpose of the testcase is to test both possiblities of
line continuations (on Win and *nix), as the properties
> are named accordingly
ams-tschoening removed a comment on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991674503
If it doesn't break anything else, agreed, your approach would be better.
Especially if that use-case is already covered in `.gitattributes`.
--
This is an
ams-tschoening commented on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991706119
> There's one line in the properties file per test-case. So it does test
\r\n on *nix.[...]
Which means currently the properties parser is tested with mixed lin
rm5248 commented on pull request #81:
URL: https://github.com/apache/logging-log4cxx/pull/81#issuecomment-991709500
> > There's one line in the properties file per test-case. So it does test
\r\n on *nix.[...]
>
> Which means currently the properties parser is tested with mixed line
TopStreamsNet commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
@ceki @remkop - it is not exactly true that it doesn't suffer from lookup
issue though.
If you look at how jndi works in 1.x you will find that there are two pl
TopStreamsNet edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
@ceki @remkop - it is not exactly true that it doesn't suffer from lookup
issue though.
If you look at how jndi works in 1.x you will find that there are
qqchaozai commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991724441
We build class like this:
package org.apache.logging.log4j.core.lookup;
public class JndiLookup {}
ceki commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991730650
**If the attacker can modify the config file on some system S, then that S
can be assumed to be penetrated to a large extent.**
If the attacker can modify log4j.propert
ceki edited a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991730650
**If the attacker can modify the config file on some system S, then that S
can be assumed to be already penetrated to a large extent.**
If the attacker can modif
3501 - 3600 of 7264 matches
Mail list logo
