vitess.io/vitess@v0.16.2/changelog/10.0/10.0.3/release_notes.md (about) 1 # Release of Vitess v10.0.3 2 ## Announcement 3 4 This patch is providing an update regarding the Apache Log4j security vulnerability (CVE-2021-44228) (#9363). 5 6 ## Known Issues 7 8 * A critical vulnerability [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) in the Apache Log4j logging library was disclosed on Dec 9 2021. 9 The project provided release `2.15.0` with a patch that mitigates the impact of this CVE. It was quickly found that the initial patch was insufficient, and additional CVEs 10 [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046) and [CVE-2021-44832](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832) followed. 11 These have been fixed in release `2.17.1`. This release of Vitess, `v10.0.3`, uses a version of Log4j below `2.17.1`, for this reason, we encourage you to use version `v10.0.5` instead, to benefit from the vulnerability patches. 12 13 * An issue where the value of the `-force` flag is used instead of `-keep_data` flag's value in v2 vreplication workflows (#9174) is known to be present in this release. A workaround is available in the description of issue #9174. 14 15 ------------ 16 ## Changelog 17 18 ### CI/Build 19 #### Build/CI 20 CI: ubuntu-latest now has MySQL 8.0.26, let us override it with latest 8.0.x #9375 21 ### Internal Cleanup 22 #### Java 23 * build(deps): bump log4j-api from 2.13.3 to 2.15.0 in /java #9363 24 25 26 The release includes 5 commits (excluding merges) 27 28 Thanks to all our contributors: @deepthi, @frouioui