Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 (binding) Thanks JB! regards, Francois On 13/12/2021 16:24, Jean-Baptiste Onofré wrote: Hi everyone, I submit Apache Karaf runtime 4.3.4 to your vote (take #2). This release includes dependency upgrades, fixes, and improvements, especially: - upgrade to Pax Logging 2.0.11, upgrading

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 Cheers, Jamie On Mon, Dec 13, 2021 at 1:49 PM Achim Nierbeck wrote: > > +1 (binding) > > best regards, Achim > > Am Mo., 13. Dez. 2021 um 17:48 Uhr schrieb Roedl Lukas < > lukas.ro...@ait.ac.at>: > > > +1 (non-binding) > > > > regards, > > Lukas > > > > -Ursprüngliche Nachricht- > >

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 (binding) best regards, Achim Am Mo., 13. Dez. 2021 um 17:48 Uhr schrieb Roedl Lukas < lukas.ro...@ait.ac.at>: > +1 (non-binding) > > regards, > Lukas > > -Ursprüngliche Nachricht- > Von: Jean-Baptiste Onofré > Gesendet: Montag, 13. Dezember 2021 16:24 > An: dev@karaf.apache.org >

AW: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 (non-binding) regards, Lukas -Ursprüngliche Nachricht- Von: Jean-Baptiste Onofré Gesendet: Montag, 13. Dezember 2021 16:24 An: dev@karaf.apache.org Betreff: [VOTE] Apache Karaf runtime 4.3.4 release (take #2) Hi everyone, I submit Apache Karaf runtime 4.3.4 to your vote (take #2).

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1 regards Grzegorz Grzybek pon., 13 gru 2021 o 17:17 Freeman Fang napisał(a): > +1(binding) > > Thanks! > Freeman > > On Mon, Dec 13, 2021 at 10:24 AM Jean-Baptiste Onofré > wrote: > > > Hi everyone, > > > > I submit Apache Karaf runtime 4.3.4 to your vote (take #2). > > > > This release

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

+1(binding) Thanks! Freeman On Mon, Dec 13, 2021 at 10:24 AM Jean-Baptiste Onofré wrote: > Hi everyone, > > I submit Apache Karaf runtime 4.3.4 to your vote (take #2). > > This release includes dependency upgrades, fixes, and improvements, > especially: > > - upgrade to Pax Logging 2.0.11,

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

On 13/12/2021 16:24, Jean-Baptiste Onofré wrote: Please vote to approve this release: [ ] +1 Approve the release OpenDaylight basics seem to be okay with this release, +1 (non-binding). Thanks, Robert OpenPGP_signature Description: OpenPGP digital signature

Re: [VOTE] Apache Karaf runtime 4.3.4 release (take #2)

> Jean-Baptiste Onofré : > Hi everyone, > I submit Apache Karaf runtime 4.3.4 to your vote (take #2). [snip!] > Please vote to approve this release: > [X] +1 Approve the release > [ ] -1 Don't approve the release (please provide specific comments) > This vote will be open for at least 72

[VOTE] Apache Karaf runtime 4.3.4 release (take #2)

Hi everyone, I submit Apache Karaf runtime 4.3.4 to your vote (take #2). This release includes dependency upgrades, fixes, and improvements, especially: - upgrade to Pax Logging 2.0.11, upgrading to log4j2 2.0.15, fixing important security issue (CVE-2021-44228) - align dependencies

Re: [ANN][CVE-2021-44228] Pax Logging 2.0.11 and 1.11.10 released

Hi Grzegorz, Thanks. I was actually looking to create a new custom distribution, but I'm not sure if I want all other Karaf 4.3.4 to come along. For now it looks like we're going with log4j2.formatMsgNoLookups=true Best regards, Steven On Mon, Dec 13, 2021 at 2:17 PM Grzegorz Grzybek wrote:

Re: [ANN][CVE-2021-44228] Pax Logging 2.0.11 and 1.11.10 released

@Steven Huypens In order to fix in current installation, you have to change the version in etc/startup.properties and at runtime, do `update mvn:org.ops4j.pax.logging/pax-logging-log4j2/2.0.11` regards Grzegorz Grzybek pon., 13 gru 2021 o 13:18 Jean-Baptiste Onofré napisał(a): > Hi, > > you

Re: [ANN][CVE-2021-44228] Pax Logging 2.0.11 and 1.11.10 released

Hi, you can upgrade to Karaf 4.3.4 (vote will start in a hour or so). It will include Pax Logging 2.0.11. If you can't wait, then, you have to create your own distro (mimic what we do at Karaf). Regards JB On 13/12/2021 13:10, Steven Huypens wrote: Hi Grzegorz, Thanks, that's clear now.

Re: [ANN][CVE-2021-44228] Pax Logging 2.0.11 and 1.11.10 released

Hi Grzegorz, Thanks, that's clear now. Another question: what is the simplest way of upgrading pax logging to 2.0.11 in my current Karaf 4.3.2 distro ? Should I blacklist the 2.0.9 dependencies and add the 2.0.11 ones to my features.xml, or is there a better option ? Kind regards, Steven On

Re: [ANN][CVE-2021-44228] Pax Logging 2.0.11 and 1.11.10 released

Hello The multiple export trick/hack/improvement/convenience is to make it easier to upgrade pax logging itself without affecting the OSGi users. Pax Logging *has to* export Log4j2 packages at version of the ONLY Log4j2 library it uses (private-packages + re-exports), but it also declares that

Re: [ANN][CVE-2021-44228] Pax Logging 2.0.11 and 1.11.10 released

Hi all, We are using pax logging 2.0.9, but I can see it exports log4j2 packages for different versions: 2.9.1, 2.13.3 & 2.14.1 Since one of those versions is not higher than 2.10, it's not clear to me if the system property log4j.formatMsgNoLookup will fix the issue for our application. Anyone