-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[fix][broker] Upgrade log4j2 version to 2.18.0 #16884
[fix][broker] Upgrade log4j2 version to 2.18.0 #16884
Conversation
@liudezhi2098 Please provide a correct documentation label for your PR. |
@liudezhi2098 Please provide a correct documentation label for your PR. |
@liudezhi2098 Please provide a correct documentation label for your PR. |
@@ -132,7 +132,7 @@ flexible messaging model and an intuitive client API.</description> | |||
<rocksdb.version>6.29.4.1</rocksdb.version> | |||
<slf4j.version>1.7.32</slf4j.version> | |||
<commons.collections4.version>4.4</commons.collections4.version> | |||
<log4j2.version>2.17.1</log4j2.version> | |||
<log4j2.version>2.18.0</log4j2.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also need to update versions in license files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
/pulsarbot run-failure-checks |
1 similar comment
/pulsarbot run-failure-checks |
@liudezhi2098 Can you link to the Log4j CVE in the PR description? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm
Release notes @liudezhi2098 if you think that there is a high security risk then please do not send a PR but reach out to private@pulsar.apache.org to discuss the problem. |
@liudezhi2098 Please provide a correct documentation label for your PR. |
1 similar comment
@liudezhi2098 Please provide a correct documentation label for your PR. |
…' into Upgrade_log4j2.version_to_2.18.0
/pulsarbot run-failure-checks |
1 similar comment
/pulsarbot run-failure-checks |
I ever read the logic and it seems all good but perhaps resource consumptive so that we cannot receive messages in time, especially when CI is overwhelmed. |
* Upgrade log4j2.version to 2.18.0 * update versions in license files * fix EnvironmentBasedSecretsProviderTest error Co-authored-by: liudezhi <liudezhi2098@163.com> (cherry picked from commit 09ec578)
Co-authored-by: liudezhi <liudezhi2098@163.com> (cherry picked from commit 09ec578)
Move |
* Upgrade log4j2.version to 2.18.0 * update versions in license files * fix EnvironmentBasedSecretsProviderTest error Co-authored-by: liudezhi <liudezhi2098@163.com>
Move |
@liudezhi2098 Would you like cherry-pick this PR to branch-2.9? |
* Upgrade log4j2.version to 2.18.0 * update versions in license files * fix EnvironmentBasedSecretsProviderTest error Co-authored-by: liudezhi <liudezhi2098@163.com> (cherry picked from commit 09ec578)
Move release/2.9.4 label to #16995 |
--- *Motivation* We update the log4j version in [PR](apache#16884), but we haven't update the license file for the version.
Motivation
Upgrade log4j2 version to 2.18.0
Documentation
doc-not-needed