This is an automated email from the ASF dual-hosted git repository.
mattsicker pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 7bcf65b Fix typo
7bcf65b is described below
commit 7bcf65b92f3142a380be0a8f57ac8187d4bd95cc
Author: Matt Sicker <[email protected]>
AuthorDate: Sat Dec 11 21:52:36 2021 -0600
Fix typo
---
log4j-2.15.1/index.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/log4j-2.15.1/index.html b/log4j-2.15.1/index.html
index 86c5342..2a6eab9 100644
--- a/log4j-2.15.1/index.html
+++ b/log4j-2.15.1/index.html
@@ -200,7 +200,7 @@
<p>The Log4j team has been made aware of a security vulnerability,
CVE-2021-44228, that has been addressed in Log4j 2.15.0.</p>
<p>Log4j’s JNDI support has not restricted what names could be
resolved. Some protocols are unsafe or can allow remote code execution. Log4j
now limits the protocols by default to only java, ldap, and ldaps and limits
the ldap protocols to only accessing Java primitive objects by default served
on the local host.</p>
<p>One vector that allowed exposure to this vulnerability was Log4j’s
allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature
is now disabled by default. While an option has been provided to enable Lookups
in this fashion, users are strongly discouraged from enabling it.</p>
-<p>For those who cannot upgrade to 2.15.0, in releases >=2.10, this
vulnerability can be mitigated by setting either the system property
log4j2.formatMsgNoLookups or the environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.7 through 2.14.1 all
PatternLayout patterns can be modified to specify the message converter as
%m{nnolookups} instead of just %m. For releases from 2.0-beta9 to 2.10.0, the
mitigation is to remove the JndiLookup class from the classpath:zip [...]
+<p>For those who cannot upgrade to 2.15.0, in releases >=2.10, this
vulnerability can be mitigated by setting either the system property
log4j2.formatMsgNoLookups or the environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.7 through 2.14.1 all
PatternLayout patterns can be modified to specify the message converter as
%m{nolookups} instead of just %m. For releases from 2.0-beta9 to 2.10.0, the
mitigation is to remove the JndiLookup class from the classpath:zip [...]
<h3>Other News</h3>
<p>Log4j 2.15.1 is now available for production. The API for Log4j 2 is not
compatible with Log4j 1.x, however an adapter is available to allow
applications to continue to use the Log4j 1.x API. Adapters are also available
for Apache Commons Logging, SLF4J, and java.util.logging.</p>
<p>Log4j 2.15.1 is the latest release of Log4j. As of Log4j 2.13.0 Log4j 2
requires Java 8 or greater at runtime. This release contains new features and
fixes which can be found in the latest <a
href="changes-report.html#a2.15.1">changes report</a>.</p>
