Re: [Lo4Net] Cyber Vulnerability Vendor Impact Assessment for Lo4Net

Hi Milind, Please take a look at this page, which has all the details: https://logging.apache.org/log4j/2.x/security.html In short, the log4net library is not impacted. Only log4j (the java library) is impacted by this vulnerability. Kind regards, Remko On Sat, Dec 18, 2021 at 6:24 AM Milind

[RESULT][VOTE] Release Apache Log4j 2.17.0-rc1

This vote received +1 from Carter Kozak, Gary Gregory, Matt Sicker, Ron Grabowski, Remko Popma, and Ralph Goers Thank you all! I will continue on with the release. Ralph

Re: [VOTE] Release Apache Log4j 2.17.0-rc1

My +1 Ralph > On Dec 17, 2021, at 8:18 PM, Ralph Goers wrote: > > This is a vote to release Log4j 2.17.0, the next version of the Log4j 2 > project. > > Please download, test, and cast your votes on the log4j developers list. > [] +1, release the artifacts > [] -1, don't release because... >

Re: [VOTE] Release Apache Log4j 2.17.0-rc1

+1 GNU signatures check ok. Build passed with maven clean install Apache Maven 3.6.2 (40f52333136460af0dc0d7232c0dc0bcf0d9e117; 2019-08-28T00:06:16+09:00) Maven home: C:\apps\apache-maven-3.6.2\bin\.. Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: C:\apps\jdk1.8.0_202\jre Default

Re: [VOTE] Release Apache Log4j 2.17.0-rc1

+1 mvn clean install mvn apache-rat:check Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537) Maven home: C:\projects\apache-maven-3.8.4 Java version: 1.8.0_181, vendor: Oracle Corporation, runtime: C:\Program Files\Java\jdk1.8.0_181\jre Default locale: en_US, platform encoding:

Re: [VOTE] Release Apache Log4j 2.17.0-rc1

+1 Checked build, tests, sigs, site, etc. -- Matt Sicker > On Dec 17, 2021, at 21:18, Ralph Goers wrote: > > This is a vote to release Log4j 2.17.0, the next version of the Log4j 2 > project. > > Please download, test, and cast your votes on the log4j developers list. > [] +1, release the

Re: [VOTE] Release Apache Log4j 2.17.0-rc1

+1 Building from the git tag (tags/log4j-2.17.0-rc1 a19ef9bce) OK; running: - mvn clean install - mvn site -DskipTests - mvn apache-rat:check -DskipTests openjdk version "1.8.0_312" OpenJDK Runtime Environment (build 1.8.0_312-bre_2021_10_20_23_15-b00) OpenJDK 64-Bit Server VM (build

Re: [VOTE] Release Apache Log4j 2.17.0-rc1

+1 build + rat are good -ck On Fri, Dec 17, 2021, at 22:18, Ralph Goers wrote: > This is a vote to release Log4j 2.17.0, the next version of the Log4j 2 > project. > > Please download, test, and cast your votes on the log4j developers list. > [] +1, release the artifacts > [] -1, don't

[VOTE] Release Apache Log4j 2.17.0-rc1

This is a vote to release Log4j 2.17.0, the next version of the Log4j 2 project. Please download, test, and cast your votes on the log4j developers list. [] +1, release the artifacts [] -1, don't release because... The vote will remain open for as short amount as time as required to vet the

Re: [Lo4Net] Cyber Vulnerability Vendor Impact Assessment for Lo4Net

Hi Milind, log4net is not log4j and therefore the recent log4j vulnerability is unrelated to log4net. Beyond that, the Apache Software Foundation is vendor neutral. Warm regards, Dominik On Fri, 17 Dec 2021 at 22:24, Milind Wankhede wrote: > Good Morning/Afternoon, > As you may know, a

[Lo4Net] Cyber Vulnerability Vendor Impact Assessment for Lo4Net

Good Morning/Afternoon, As you may know, a cyber-vulnerability impacting Java Library: log4j was recently identified. DHS warns of critical flaw in widely used software - CNNPolitics As a result and to provide

Re: Log4J 1.x progress, pull request(s), plans

It's possible that it's not buildable without updates to the build scripts. If that's the case, then they should be updated. On Fri, Dec 17, 2021 at 12:28 PM Ralph Goers wrote: > > I am still questioning the plan. If you are planning on just creating a > security release > and then having the

Re: Log4J 1.x progress, pull request(s), plans

I am still questioning the plan. If you are planning on just creating a security release and then having the project go back to its coffin then I am not sure why all the tooling is needed. OTOH, if you want to resurrect the project then this really should go through the ASF incubator with

RE: JIRA for tracking 1.x release? also some input.

I'm glad to see the activity (!), but I'm having a hard time keeping up with the responses to this thread, sorry if I am out of order. >> (Leo) Glad you want to help. The original Log4J community left, so to get >> anything done we need some new contributors! I'm fine with skipping the issue

Re: JIRA for tracking 1.x release? also some input.

On Fri, Dec 17, 2021 at 6:24 PM Vladimir Sitnikov < sitnikov.vladi...@gmail.com> wrote: > >Note removing the classes would break API compatibility > > I do not think keeping the class with "every method throws" is much better > than just removing the class. > Agreed! I also don't want to do

Log4J 1.x progress, pull request(s), plans

Hey, Progress today As mentioned I made a draft PR for the branch I'm working on: https://github.com/apache/log4j/pull/16 My main progress today was to get the unit test suite working reliably (dozens of tests were disabled because they had flaky results), and then to get build and

Re: JIRA for tracking 1.x release? also some input.

>If we do need an issue tracker I would suggest enabling the github one >after making that a writable repo +1. If we need a tracker, then GitHub issues is the way to go. >Note removing the classes would break API compatibility I do not think keeping the class with "every method throws" is much

Re: JIRA for tracking 1.x release? also some input.

Hi Tony, Glad you want to help. The original Log4J community left, so to get anything done we need some new contributors! On Thu, Dec 16, 2021 at 9:19 PM Homer, Tony wrote: > There has been some discussion about releasing a security update for log4j > 1.x (1.2.18, perhaps), both here and on >

Re: [VOTE] Release log4net 2.0.14

Hi Robert I checked and saw the same sha discrepencies - the only reason I can think of is perhaps I interrupted a release script such that I had updated artifacts but interrupted before the shas were computed. Fixed-up now, thanks for the heads-up. Just to be sure, I've updated the release

Re: [VOTE] Release log4net 2.0.14

Hi Dominik The staging site is updated. Really only release notes and download links changed - no api changes, so no sdk doc changes. -d On December 17, 2021 10:02:45 Dominik Psenner wrote: Hi Davyd, I checked the changes since 2.0.13 and it looks good to me. Have you also updated the

Re: [VOTE] Release log4net 2.0.14

Hi Davyd, I checked the changes since 2.0.13 and it looks good to me. Have you also updated the log4net site? I would like to verify that the log4net website looks good in staging. Cheers Dominik On Thu, 16 Dec 2021 at 15:09, Davyd McColl wrote: > Hi all > > I'd like to raise a vote to