Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][broker] Upgrade log4j2 version to 2.18.0 #16884

Merged
merged 5 commits into from
Aug 2, 2022
Merged

[fix][broker] Upgrade log4j2 version to 2.18.0 #16884

merged 5 commits into from
Aug 2, 2022

Conversation

liudezhi2098
Copy link
Contributor

@liudezhi2098 liudezhi2098 commented Jul 30, 2022
edited
Loading

Motivation

Upgrade log4j2 version to 2.18.0

Documentation

  • doc-not-needed

@liudezhi2098 liudezhi2098 changed the title [improve][broker] Upgrade log4j2 version to 2.18.0 [fix][broker] Upgrade log4j2 version to 2.18.0 Jul 30, 2022
@github-actions
Copy link

@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see Pulsar Documentation Label Guide.

@github-actions
Copy link

@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see Pulsar Documentation Label Guide.

@hangc0276 hangc0276 added this to the 2.11.0 milestone Jul 30, 2022
@github-actions
Copy link

@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see Pulsar Documentation Label Guide.

hangc0276
hangc0276 reviewed Jul 30, 2022
View reviewed changes
pom.xml
@@ -132,7 +132,7 @@ flexible messaging model and an intuitive client API.</description>
<rocksdb.version>6.29.4.1</rocksdb.version>
<slf4j.version>1.7.32</slf4j.version>
<commons.collections4.version>4.4</commons.collections4.version>
<log4j2.version>2.17.1</log4j2.version>
<log4j2.version>2.18.0</log4j2.version>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need to update versions in license files.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@liudezhi2098
Copy link
Contributor Author

/pulsarbot run-failure-checks

1 similar comment
@liudezhi2098
Copy link
Contributor Author

/pulsarbot run-failure-checks

@merlimat
Copy link
Contributor

@liudezhi2098 Can you link to the Log4j CVE in the PR description?

eolivelli
eolivelli approved these changes Jul 31, 2022
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@eolivelli
Copy link
Contributor

Release notes
https://logging.apache.org/log4j/2.x/changes-report.html

@liudezhi2098 if you think that there is a high security risk then please do not send a PR but reach out to private@pulsar.apache.org to discuss the problem.
Disclosing a security issue on GH means to disclose it to the public and put pressure on the whole community

@github-actions
Copy link

@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see Pulsar Documentation Label Guide.

1 similar comment
@github-actions
Copy link

@liudezhi2098 Please provide a correct documentation label for your PR.
Instructions see Pulsar Documentation Label Guide.

@tisonkun tisonkun mentioned this pull request Aug 1, 2022
Closed
1 task
@tisonkun
Copy link
Member

tisonkun commented Aug 2, 2022

/pulsarbot run-failure-checks

1 similar comment
@liudezhi2098
Copy link
Contributor Author

/pulsarbot run-failure-checks

@tisonkun
Copy link
Member

tisonkun commented Aug 2, 2022

testJavaLoggingFunction is really a pain.

I ever read the logic and it seems all good but perhaps resource consumptive so that we cannot receive messages in time, especially when CI is overwhelmed.

@liudezhi2098 liudezhi2098 merged commit 09ec578 into apache:master Aug 2, 2022
@tisonkun tisonkun mentioned this pull request Aug 2, 2022
Closed
@sijie sijie mentioned this pull request Aug 2, 2022
Open
BewareMyPower pushed a commit that referenced this pull request Aug 2, 2022
@liudezhi2098 @BewareMyPower
[fix][broker] Upgrade log4j2 version to 2.18.0 (#16884)
ce5216b 
* Upgrade log4j2.version to 2.18.0

* update versions in license files

* fix EnvironmentBasedSecretsProviderTest error

Co-authored-by: liudezhi <liudezhi2098@163.com>
(cherry picked from commit 09ec578)
BewareMyPower pushed a commit that referenced this pull request Aug 2, 2022
@liudezhi2098 @BewareMyPower
[branch-2.8][fix][broker] Upgrade log4j2 version to 2.18.0 (#16884)
fb29458 
Co-authored-by: liudezhi <liudezhi2098@163.com>
(cherry picked from commit 09ec578)
@BewareMyPower
Copy link
Contributor

Move release/2.8.4 label to #16914.

BewareMyPower added a commit that referenced this pull request Aug 2, 2022
@BewareMyPower @liudezhi2098
[branch-2.8][fix][broker] Upgrade log4j2 version to 2.18.0 (#16884) (#…
616338c 
…16914)

Co-authored-by: liudezhi <liudezhi2098@163.com>
(cherry picked from commit 09ec578)

Co-authored-by: Dezhi LIiu <33149602+liudezhi2098@users.noreply.github.com>
Gleiphir2769 pushed a commit to Gleiphir2769/pulsar that referenced this pull request Aug 4, 2022
@liudezhi2098 @Gleiphir2769
[fix][broker] Upgrade log4j2 version to 2.18.0 (apache#16884)
93a7724 
* Upgrade log4j2.version to 2.18.0

* update versions in license files

* fix EnvironmentBasedSecretsProviderTest error

Co-authored-by: liudezhi <liudezhi2098@163.com>
@Jason918 Jason918 mentioned this pull request Aug 4, 2022
Merged
1 task
@Jason918
Copy link
Contributor

Jason918 commented Aug 4, 2022

Move release/2.7.5 label to #16942

@mattisonchao
Copy link
Member

@liudezhi2098 Would you like cherry-pick this PR to branch-2.9?

Jason918 added a commit that referenced this pull request Aug 5, 2022
@Jason918
[Branch 2.7][fix][broker] Upgrade log4j2 version to 2.18.0 (#16884) (#…
e75b403 
…16942)

* cherry-pick 16884

* fix test
codelipenghui pushed a commit that referenced this pull request Aug 8, 2022
@liudezhi2098 @codelipenghui
[fix][broker] Upgrade log4j2 version to 2.18.0 (#16884)
62ccfaa 
* Upgrade log4j2.version to 2.18.0

* update versions in license files

* fix EnvironmentBasedSecretsProviderTest error

Co-authored-by: liudezhi <liudezhi2098@163.com>
(cherry picked from commit 09ec578)
This was referenced Aug 8, 2022
Closed
Merged
liudezhi2098 added a commit that referenced this pull request Aug 9, 2022
@liudezhi2098
[Branch 2.9][fix][broker] Upgrade log4j2 version to 2.18.0 (#16884) (#…
05d35d8 
…16995)

* Upgrade log4j2 version to 2.18.0

Co-authored-by: liudezhi <liudezhi2098@163.com>
@mattisonchao
Copy link
Member

mattisonchao commented Aug 10, 2022
edited
Loading

Move release/2.9.4 label to #16995

nicoloboschi pushed a commit to datastax/pulsar that referenced this pull request Aug 16, 2022
@liudezhi2098 @nicoloboschi
[fix][broker] Upgrade log4j2 version to 2.18.0 (apache#16884)
6048307 
* Upgrade log4j2.version to 2.18.0

* update versions in license files

* fix EnvironmentBasedSecretsProviderTest error

Co-authored-by: liudezhi <liudezhi2098@163.com>
(cherry picked from commit 09ec578)
(cherry picked from commit 62ccfaa)
zymap added a commit to zymap/pulsar that referenced this pull request Sep 5, 2022
@zymap
[fix][license] Update the log4j version in the presto license file
dd9aa78 
---

*Motivation*

We update the log4j version in [PR](apache#16884),
but we haven't update the license file for the version.
@zymap zymap mentioned this pull request Sep 5, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jason918 Jason918 Jason918 approved these changes

@HQebupt HQebupt HQebupt approved these changes

@hangc0276 hangc0276 hangc0276 approved these changes

@eolivelli eolivelli eolivelli approved these changes

@codelipenghui codelipenghui codelipenghui approved these changes

@RobertIndie RobertIndie RobertIndie approved these changes

@Demogorgon314 Demogorgon314 Demogorgon314 approved these changes

Assignees

@liudezhi2098 liudezhi2098

Labels
area/security cherry-picked/branch-2.10 doc-not-needed Your PR changes do not impact docs release/2.10.2
Projects
None yet
Milestone
2.11.0
Development

Successfully merging this pull request may close these issues.