Integrate all patches or the most important ones when releasing security patch for Log4j

[rhadw]

Query
Integrate all patches/fixes which are production ready.

Expected Behavior
I would like to integrate all minor changes or at least the most annoying of them in the security patch for log4j.
This is an important fix which should have been present in the latest release but isn't: opendistro-for-elasticsearch/index-management#448 - it's regarding applying only the first 10 policies because of a search issue.
An example would be this #763 regarding continous tenant selection message

Current Behavior
No fixes/patches since v1.13...

Failure Information (for bugs)
This is an important fix which should have been present in the latest release but isn't: opendistro-for-elasticsearch/index-management#448 - it's regarding applying only the first 10 policies because of a search issue.

[stockholmux]

@rhadw 1.13.3 was an emergency fix for log4j - that was the only priority. Any additional fixes would have to go into an additional release.

[FirstWhack]

Cannot answer until we get the source for 1.13.3.

Was this image deployed from the 1.13.3-test branch???

[madhavs]

We see performance-analyzer still has reference to log4j-core-2.13.0.jar - can we get a build updating the all the log4j jar files to a version without the vuln?