richardstartin opened a new pull request #7889: URL: https://github.com/apache/pinot/pull/7889
[CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) was announced this morning affecting log4j 2 until 2.15.0. I verified that there are no transitive dependencies on older versions of log4j 2: ``` mvn dependency:tree | grep log4j [INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | | \- log4j:log4j:jar:1.2.17:compile [INFO] | +- org.slf4j:slf4j-log4j12:jar:1.7.10:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:compile [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:compile [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:runtime [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:compile [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided [INFO] | | \- log4j:log4j:jar:1.2.17:provided [INFO] | +- org.slf4j:slf4j-log4j12:jar:1.7.10:provided [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.15.0:provided [INFO] | | +- org.apache.logging.log4j:log4j-api:jar:2.15.0:provided [INFO] | | \- org.apache.logging.log4j:log4j-core:jar:2.15.0:provided [INFO] | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.15.0:provided ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
