Given that log2j 2.15.0 has been found to have a Denial of service should we re-release with 2.16.0 ?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Regards, Serge... Serge Huber CTO & Co-Founder T +41 22 361 3424 9 route des Jeunes | 1227 Acacias | Switzerland jahia.com <http://www.jahia.com/> SKYPE | LINKEDIN <https://www.linkedin.com/in/sergehuber> | TWITTER <https://twitter.com/sergehuber> | VCARD <http://www.jahia.com/vcard/HuberSerge.vcf> > JOIN OUR COMMUNITY <http://www.jahia.com/> to evaluate, get trained and to discover why Jahia is a leading User Experience Platform (UXP) for Digital Transformation. On Wed, Dec 15, 2021 at 7:28 AM Francois Papon <francois.pa...@openobject.fr> wrote: > +1 (binding) > > Thanks JB! > > regards, > > Francois > > On 15/12/2021 05:43, JB Onofré wrote: > > Hi everyone, > > > > I submit Apache Karaf runtime 4.3.4 to your vote (take #3). > > > > This release includes dependency upgrades, fixes, and improvements, > especially: > > > > - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing > important security issue (CVE-2021-44228) and fixing JNDI issue > > - align dependencies versions between Karaf and Pax * > > - fix missing system export packages > > - fix on Karaf features json support > > - fix features autoRefresh configuration handling > > - fix on sshd session handling > > - update to sshd 2.8.0 > > - lot of pax * updates > > - and much more ! > > > > Please take a look on Release Notes for details ! > > > > Release Notes: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547 > > > > Staging Maven Repository: > > https://repository.apache.org/content/repositories/orgapachekaraf-1165/ > > > > Staging Dist Repository: > > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/ > > > > Git tag: > > karaf-4.3.4 > > > > Please vote to approve this release: > > > > [ ] +1 Approve the release > > [ ] -1 Don't approve the release (please provide specific comments) > > > > This vote will be open for at least 72 hours. > > > > Regards > > JB > > >
