ethqunzhong opened a new issue #14237:
URL: https://github.com/apache/pulsar/issues/14237
**Describe the bug**
#13552 has fix log4j2 security bug
after build pulsar source code
in generate dir, apache-pulsar-2.10.0-SNAPSHOT/lib
third party dependency lib as follow:
<img width="639" alt="image"
src="https://user-images.githubusercontent.com/16517186/153557338-f775c4e6-edcd-48cf-ac6f-0e1d27f7fb11.png";>
check this lib's pom.xml as follow, which log4j2 version is 2.1 low then
2.17.1
<img width="548" alt="image"
src="https://user-images.githubusercontent.com/16517186/153557002-41f1672e-ed9a-463c-80e8-26faa69f3a57.png";>
in public maven repo, io.prometheus.simpleclient_log4j2 latest version is
0.15.0 which depend log4j2 version update to 2.17.1
link to
https://mvnrepository.com/artifact/io.prometheus/simpleclient_log4j2/0.15.0
should we upgrade io.prometheus.simpleclient_log4j2 version from 0.5.0 to
latest(0.15.0) to avoid log4j2 security holes?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
![https://user-images.githubusercontent.com/16517186/153557338-f775c4e6-edcd-48cf-ac6f-0e1d27f7fb11.png"](https://user-images.githubusercontent.com/16517186/153557338-f775c4e6-edcd-48cf-ac6f-0e1d27f7fb11.png"){kind=link}
![https://user-images.githubusercontent.com/16517186/153557002-41f1672e-ed9a-463c-80e8-26faa69f3a57.png"](https://user-images.githubusercontent.com/16517186/153557002-41f1672e-ed9a-463c-80e8-26faa69f3a57.png"){kind=link}