FrankChen021 opened a new pull request #12081: URL: https://github.com/apache/druid/pull/12081
Update to 2.17.0 to address another vulnerability [45015](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105) which also affects the previous 2.16.0 release. Following is from [log4j site](https://logging.apache.org/log4j/2.x/security.html)  Since this CVE score is 7.5 which is lower than the value of previous CVE 45046 fixed in 2.16.0, I don't think we need release another Druid path release such as 0.22.2. This PR has: - [X] been self-reviewed. - [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.) - [ ] added documentation for new or modified features or behaviors. - [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links. - [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md) - [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader. - [ ] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met. - [ ] added integration tests. - [ ] been tested in a test Druid cluster. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
