Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

[Jean-Baptiste Onofré]

There's no big change between log4j 2.15 and 2.16 (in term of CVE). So, 
I would leave this vote running, and prepare Pax Logging/Karaf new 
release after (pretty soon).

Regards
JB
On 14/12/2021 09:30, Bernd Eckenfels wrote:
If you have any reason to delay it some more, a new pax logging with log4j 
2.0.16 should be close by ,) Log4j finally disabled JNDI and removed the lookup 
code. Otherwise another minor release would also be an option.
--
http://bernd.eckenfels.net
________________________________
Von: Francois Papon <francois.pa...@openobject.fr>
Gesendet: Tuesday, December 14, 2021 8:49:24 AM
An: dev@karaf.apache.org <dev@karaf.apache.org>
Betreff: Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 (binding)

Thanks JB!

regards,

Francois

On 13/12/2021 16:24, Jean-Baptiste Onofré wrote:
Hi everyone,

I submit Apache Karaf runtime 4.3.4 to your vote (take #2).

This release includes dependency upgrades, fixes, and improvements,
especially:

- upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing
important security issue (CVE-2021-44228)
- align dependencies versions between Karaf and Pax *
- fix missing system export packages
- fix on Karaf features json support
- fix features autoRefresh configuration handling
- fix on sshd session handling
- update to sshd 2.8.0
- lot of pax * updates
- and much more !

Please take a look on Release Notes for details !

Release Notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547


Staging Maven Repository:
https://repository.apache.org/content/repositories/orgapachekaraf-1164/

Staging Dist Repository:
https://dist.apache.org/repos/dist/dev/karaf/4.3.4/

Git tag:
karaf-4.3.4

Please vote to approve this release:

[ ] +1 Approve the release
[ ] -1 Don't approve the release (please provide specific comments)

This vote will be open for at least 72 hours.

Regards
JB