)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"09f90fc1cfb3c6c4fb4a9dc2c22ec3fc814935bc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"72ac7184_a3454cc3","updated":"2021-12-16 08:39:45.000000000","message":"by the look at https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 and the fact that we get the updated packages already in our images, I suggest just sending a ml note that users are advised to upgrade their elasticsearch containers","commit_id":"c272eb2bc8668ea9b2b390c9081a81f041b50a0f"},{"author":{"_account_id":32657,"name":"Piotr Parczewski","email":"piotr@stackhpc.com","username":"piotrp"},"change_message_id":"46f70dac2ffb44a9b805a1868ba2c0db88966945","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"34e90078_dbfeef8c","in_reply_to":"07bb419f_a6e94629","updated":"2021-12-16 11:01:41.000000000","message":"We do not pin. This is Elastic\u0027s upstream RPM/DEB OSS repository that stopped being updated at that version. One day it might vanish completely","commit_id":"c272eb2bc8668ea9b2b390c9081a81f041b50a0f"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"66877118f10983e2fd6a22e6bfccbfeb4664f27d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"6d897f36_3653a393","in_reply_to":"34e90078_dbfeef8c","updated":"2021-12-16 11:06:39.000000000","message":"https://www.elastic.co/downloads/past-releases#elasticsearch-oss","commit_id":"c272eb2bc8668ea9b2b390c9081a81f041b50a0f"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"26870723b56e2dd3e057b8bef369deed21ff60e7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"07bb419f_a6e94629","in_reply_to":"399e1d16_4dbbe303","updated":"2021-12-16 10:14:39.000000000","message":"Ah, I looked at Victoria with 6.x and forgot the pin of newer... In fact, we pin to 7.13.x, but obviously it is not patched...","commit_id":"c272eb2bc8668ea9b2b390c9081a81f041b50a0f"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"13208fa8d3008f837283d9bbbda323d1616b0d81","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"51293646_e14257c9","in_reply_to":"6d897f36_3653a393","updated":"2021-12-16 11:19:20.000000000","message":"Ah, right. We pin the python package in curator. That\u0027s what one gets for doing quick checks. 😄 Anyhow, this is gtg no matter what.","commit_id":"c272eb2bc8668ea9b2b390c9081a81f041b50a0f"},{"author":{"_account_id":32657,"name":"Piotr Parczewski","email":"piotr@stackhpc.com","username":"piotrp"},"change_message_id":"86a2094565efd68be9b342198cf63aa1f568f2fb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"399e1d16_4dbbe303","in_reply_to":"72ac7184_a3454cc3","updated":"2021-12-16 08:48:28.000000000","message":"I\u0027m afraid we\u0027re pinned to 7.10.2 due to licensing","commit_id":"c272eb2bc8668ea9b2b390c9081a81f041b50a0f"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"4922ba1fe31739ed54469ef503f06ea82513a3e8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"2fc735a6_c5191b69","updated":"2021-12-16 10:21:40.000000000","message":"recheck","commit_id":"ecbd96bebbe9f70b1e3ea09b3794c8058ce93980"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"ca5f6eefa5178611d27f46d4af270353dc6b1a41","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"49f16b6f_ff2a2628","updated":"2021-12-20 18:10:37.000000000","message":"recheck","commit_id":"ecbd96bebbe9f70b1e3ea09b3794c8058ce93980"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"4e4a2991552f3989ead5f152e7f99c7f5c72bc5d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"88bc5192_320c6add","updated":"2021-12-20 12:22:54.000000000","message":"recheck","commit_id":"ecbd96bebbe9f70b1e3ea09b3794c8058ce93980"}],"releasenotes/notes/security-log4j-1be047799f8e590a.yaml":[{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"4573e78466277e8a6ac49d1f4f68036f103a92bd","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds mitigation for the Apache Log4j2 Remote Code Execution (RCE)"},{"line_number":5,"context_line":"    Vulnerability - CVE-2021-44228."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"6bcf58a7_886491ba","line":5,"range":{"start_line":4,"start_character":0,"end_line":5,"end_character":35},"updated":"2021-12-15 16:22:25.000000000","message":"It should specify that the mitigation is for Elasticsearch specifically; we still need another patch for Logstash?\n\nAlso, this is not enough to mitigate https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2021-45046","commit_id":"2cd23b8f8b299be9f9848a2821a2361f0681e3d7"},{"author":{"_account_id":32657,"name":"Piotr Parczewski","email":"piotr@stackhpc.com","username":"piotrp"},"change_message_id":"edd3422673e4646ab7eff4e061434d3c7aca1412","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds mitigation for the Apache Log4j2 Remote Code Execution (RCE)"},{"line_number":5,"context_line":"    Vulnerability - CVE-2021-44228."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"aacbacb6_fa9c46ea","line":5,"range":{"start_line":4,"start_character":0,"end_line":5,"end_character":35},"in_reply_to":"6bcf58a7_886491ba","updated":"2021-12-16 08:31:28.000000000","message":"\u003e It should specify that the mitigation is for Elasticsearch specifically; we still need another patch for Logstash?\nNot in Kolla Ansible.\n\u003e Also, this is not enough to mitigate https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2021-45046\nElastic\u0027s guidance are unchanged by this new vulnerability.","commit_id":"2cd23b8f8b299be9f9848a2821a2361f0681e3d7"}]}
