Skip to content

HADOOP-19867. Upgrade log4j to 2.25.4 for security#8444

Merged
pan3793 merged 1 commit intoapache:trunkfrom
pjfanning:HADOOP-19867-log4j
Apr 19, 2026
Merged

HADOOP-19867. Upgrade log4j to 2.25.4 for security#8444
pan3793 merged 1 commit intoapache:trunkfrom
pjfanning:HADOOP-19867-log4j

Conversation

@pjfanning
Copy link
Copy Markdown
Member

@pjfanning pjfanning commented Apr 19, 2026

Description of PR

https://issues.apache.org/jira/browse/HADOOP-19867

CVE-2026-34477

CVE-2026-34478

CVE-2026-34479

CVE-2026-34480

log4j is not mentioned in LICENSE-binary (currently)

How was this patch tested?

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

AI Tooling

If an AI tool was used:

@hadoop-yetus
Copy link
Copy Markdown

hadoop-yetus commented Apr 19, 2026

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 1m 0s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+0 🆗 xmllint 0m 0s xmllint was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+1 💚 mvninstall 40m 52s trunk passed
+1 💚 compile 0m 47s trunk passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 compile 0m 47s trunk passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 mvnsite 0m 50s trunk passed
+1 💚 javadoc 0m 49s trunk passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 javadoc 0m 46s trunk passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 shadedclient 73m 23s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 0m 16s the patch passed
+1 💚 compile 0m 14s the patch passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 javac 0m 14s the patch passed
+1 💚 compile 0m 15s the patch passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 javac 0m 15s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 mvnsite 0m 18s the patch passed
+1 💚 javadoc 0m 15s the patch passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚 javadoc 0m 16s the patch passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚 shadedclient 28m 32s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 0m 19s hadoop-project in the patch passed.
+1 💚 asflicense 0m 37s The patch does not generate ASF License warnings.
106m 37s
Subsystem Report/Notes
Docker ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8444/1/artifact/out/Dockerfile
GITHUB PR #8444
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint
uname Linux 9584e1b415f8 5.15.0-173-generic #183-Ubuntu SMP Fri Mar 6 13:29:34 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 06fad5f
Default Java Ubuntu-17.0.18+8-Ubuntu-124.04.1
Multi-JDK versions /usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.10+7-Ubuntu-124.04 /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.18+8-Ubuntu-124.04.1
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8444/1/testReport/
Max. process+thread count 606 (vs. ulimit of 10000)
modules C: hadoop-project U: hadoop-project
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8444/1/console
versions git=2.43.0 maven=3.9.11
Powered by Apache Yetus 0.14.1 https://yetus.apache.org

This message was automatically generated.

pan3793
pan3793 approved these changes Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@pan3793 pan3793 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

log4j2 is a test-only dep so far, so no need to mention in LICENSE/NOTICE

@pan3793 pan3793 changed the title HADOOP-19867. Upgrade log4j to 2.25.4 due to multiple CVEs HADOOP-19867. Upgrade log4j to 2.25.4 for security Apr 19, 2026
@pan3793 pan3793 merged commit f6e4e25 into apache:trunk Apr 19, 2026
1 of 3 checks passed
pan3793 pushed a commit that referenced this pull request Apr 19, 2026
@pjfanning @pan3793
HADOOP-19867. Upgrade log4j to 2.25.4 for security (#8444)
46c9854 
Reviewed-by: Shilun Fan <slfan1989@apache.org>
Signed-off-by: Cheng Pan <chengpan@apache.org>
@pan3793
Copy link
Copy Markdown
Member

pan3793 commented Apr 19, 2026

committed to trunk/branch-3.5

@pjfanning pjfanning deleted the HADOOP-19867-log4j branch April 20, 2026 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pan3793 pan3793 pan3793 approved these changes

@slfan1989 slfan1989 slfan1989 approved these changes

Assignees

No one assigned

Labels

build trunk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pjfanning @hadoop-yetus @pan3793 @slfan1989