[logging-log4j-site] branch asf-staging updated: Update home page news

Sun, 12 Dec 2021 23:15:18 -0800 

This is an automated email from the ASF dual-hosted git repository.

rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new 9024aba  Update home page news
9024aba is described below

commit 9024aba1c96143018debb5b0e7198fc4dbe321a4
Author: Ralph Goers <[email protected]>
AuthorDate: Mon Dec 13 00:15:03 2021 -0700

    Update home page news
---
 log4j-2.16.0/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/log4j-2.16.0/index.html b/log4j-2.16.0/index.html
index 36cf613..2016364 100644
--- a/log4j-2.16.0/index.html
+++ b/log4j-2.16.0/index.html
@@ -195,7 +195,7 @@
 <h2><a name="Requirements"></a>Requirements</h2>
 <p>Log4j 2.13.0 and greater require Java 8. Version 2.4 through 2.12.1 
required Java 7 (the Log4j team no longer supports Java 7). Some features 
require optional dependencies; the documentation for these features will 
specify the required dependencies.</p></section><section>
 <h2><a name="News"></a>News</h2>
-<p>Log4j 2.15.1 has been released solely to disable access to JNDI by default. 
The CVE noted below was fixed in the 2.15.0 release. 2.15.1 is NOT a required 
upgrade but users may choose to use it to have confidence that JNDI will not be 
abused.</p><section>
+<p>Log4j 2.16.0 has been released solely to disable access to JNDI by default 
and completely remove the ability to use Lookups in messages. The CVE noted 
below was fixed in the 2.15.0 release. 2.16.0 is NOT a required upgrade but 
users may choose to use it to have confidence that JNDI will not be abused and 
that message Lookups are no longer possible.</p><section>
 <h3><a name="CVE-2021-44228"></a>CVE-2021-44228</h3>
 <p>The Log4j team has been made aware of a security vulnerability, 
CVE-2021-44228, that has been addressed in Log4j 2.15.0.</p>
 <p>Log4j&#x2019;s JNDI support has not restricted what names could be 
resolved. Some protocols are unsafe or can allow remote code execution. Log4j 
now limits the protocols by default to only java, ldap, and ldaps and limits 
the ldap protocols to only accessing Java primitive objects by default served 
on the local host.</p>

Reply via email to