[ANNOUNCE] Apache Log4j 2.3.2 for Java 6 released

Wed, 29 Dec 2021 11:36:16 -0800 

The Apache Log4j 2 team is pleased to announce the Log4j 2.3.2 release!

Apache log4j is a well known framework for logging application behavior. Log4j 
2 is an upgrade to
Log4j that provides significant improvements over its predecessor, Log4j 1.x, 
and provides
many other modern features such as support for Markers, property substitution 
using Lookups, and asynchronous
Loggers. In addition, Log4j 2 will not lose events while reconfiguring.

The major changes contained in this release include:

* Address CVE-2021-45046 and CVE-2021-45105 by disabling recursive evaluation 
of Lookups during log event processing. Recursive evaluation is still allowed 
while generating the configuration.
* Adddress CVE-2021-44882 by removing processing of Lookups in the Message 
Pattern Converter of the Pattern Layout and
preventing JNDI operations to use any protocols other than java.
* The JndiLookup, JndiContextSelector, and JMSAppender now require individual 
system properties to be enabled.

The JNDI components are now disabled by default and may separately be enabled 
with three individual properties; log4j2.enableJndiContextSelector, 
log4j2.enableJndiJms, and log4j2.enableJndiLookup.

GA Release 2.3.2

Changes in this version include:


Fixed Bugs:
o LOG4J2-3293:  JDBC Appender should use JNDI Manager and JNDI access should be 
limited.
       Backport fix for CVE-2021-44832. 
o LOG4J2-2819:  Add support for specifying an SSL configuration for 
SmtpAppender.
       Backport fix for CVE-2020-9488 to allow SSL/TLS hostname verification. 



Apache Log4j 2.3.2 requires a minimum of Java 6 to build and run. It is not 
expected that any future Java 6
releases will be provided.

Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api 
component, however it does not implement some of the
very implementation specific classes and methods. The package names and Maven 
groupId have been changed to
org.apache.logging.log4j to avoid any conflicts with log4j 1.x.

For complete information on Apache Log4j 2, including instructions on how to 
submit bug reports,
patches, or suggestions for improvement, see the Apache Apache Log4j 2 website:

http://logging.apache.org/log4j/2.x/

Downloads available here:
https://logging.apache.org/log4j/log4j-2.3.2/download.html

GPG keys for verifying releases are available here:
https://downloads.apache.org/logging/KEYS


--
Matt Sicker

Reply via email to