This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push:
new 2c16a18 Prepare for release
2c16a18 is described below
commit 2c16a18873aca86d987dd8c0e683185dfd84c3d0
Author: Ralph Goers <[email protected]>
AuthorDate: Fri Dec 17 18:43:03 2021 -0700
Prepare for release
---
RELEASE-NOTES.md | 52 ++++++++++++++++++++++++++++-----------------
src/changes/announcement.vm | 39 +++++++++++++++++-----------------
src/changes/changes.xml | 2 +-
3 files changed, 54 insertions(+), 39 deletions(-)
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index 7d8afb3..3472cac 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -14,9 +14,9 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-# Apache Log4j 2.16.0 Release Notes
+# Apache Log4j 2.17.0 Release Notes
-The Apache Log4j 2 team is pleased to announce the Log4j 2.16.0 release!
+The Apache Log4j 2 team is pleased to announce the Log4j 2.17.0 release!
Apache Log4j is a well known framework for logging application behavior. Log4j
2 is an upgrade
to Log4j that provides significant improvements over its predecessor, Log4j
1.x, and provides
@@ -27,44 +27,58 @@ temporary objects) while logging. In addition, Log4j 2 will
not lose events whil
The artifacts may be downloaded from
https://logging.apache.org/log4j/2.x/download.html.
-This release contains one change which is noted below.
+This release contains the changes noted below:
+
+* Address CVE-2021-45105.
+* Require components that use JNDI to be enabled individually via system
properties.
+* Remove LDAP and LDAPS as supported protocols from JNDI.
Due to a break in compatibility in the SLF4J binding, Log4j now ships with two
versions of the SLF4J to Log4j adapters.
log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and
log4j-slf4j18-impl should be used with SLF4J 1.8.x and
later. SLF4J-2.0.0 alpha releases are not fully supported. See
https://issues.apache.org/jira/browse/LOG4J2-2975 and
https://jira.qos.ch/browse/SLF4J-511.
-Some of the changes in Log4j 2.16.0 include:
+Some of the changes in Log4j 2.17.0 include:
-* Remove Message Lookups.
-* While release 2.15.0 removed the ability to resolve Lookups and log messages
and addressed issues with how JNDI
-is accessed, the Log4j team feels that having JNDI enabled by default
introduces an undue risk for our users.
-Starting in version 2.16.0, JNDI functionality is disabled by default and can
be re-enabled via the
-`log4j2.enableJndi` system property. Use of JNDI in an unprotected context is
a large security risk and
-should be treated as such in both this library and all other Java libraries
using JNDI.
-* Prior to version 2.15.0, Log4j would automatically resolve Lookups contained
in the message or its parameters in the
-Pattern Layout. This behavior is no longer the default and must be enabled by
specifying %msg{lookup}.
+* Disable recursive evaluation of Lookups during log event processing.
Recursive evaluation is still allwoed while
+generating the configuration.
+* The JndiLookup, JndiContextSelector, and JMSAppender now require individual
system properties to be enabled.
+* Removed support for the LDAP and LDAPS protocols via JNDI.
-The Log4j 2.16.0 API, as well as many core components, maintains binary
compatibility with previous releases.
+The Log4j 2.17.0 API, as well as many core components, maintains binary
compatibility with previous releases.
-## GA Release 2.16.0
+## GA Release 2.17.0
Changes in this version include:
### Fixed Bugs
-* [LOG4J2-3208](https://issues.apache.org/jira/browse/LOG4J2-3208):
-Disable JNDI by default. Require log4j2.enableJndi to be set to true to allow
JNDI.
-* [LOG4J2-3211](https://issues.apache.org/jira/browse/LOG4J2-3211):
-Completely remove support for Message Lookups.
+ *
[LOG4J2-3230](https://issues.apache.org/jira/browse/LOG4J2-3230):
+ Fix string substitution recursion.
+ *
[LOG4J2-3242](https://issues.apache.org/jira/browse/LOG4J2-3242):
+ Limit JNDI to the java protocol only. JNDI will remain disabled by
default. Rename JNDI enablement property from
+ 'log4j2.enableJndi' to 'log4j2.enableJndiLookup',
'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'.
+ *
[LOG4J2-3242](https://issues.apache.org/jira/browse/LOG4J2-3242):
+ Limit JNDI to the java protocol only. JNDI will remain disabled by
default. The enablement
+ property has been renamed to 'log4j2.enableJndiJava'
+ *
[LOG4J2-3241](https://issues.apache.org/jira/browse/LOG4J2-3241):
+ Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it
causes problems with the
+ Maven enforcer plugin.
+ *
[LOG4J2-3247](https://issues.apache.org/jira/browse/LOG4J2-3247):
+ PropertiesConfiguration.parseAppenderFilters NPE when parsing properties
file filters.
+ *
[LOG4J2-3249](https://issues.apache.org/jira/browse/LOG4J2-3249):
+ Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514.
+ *
[LOG4J2-3237](https://issues.apache.org/jira/browse/LOG4J2-3237):
+ Log4j 1.2 bridge API hard codes the Syslog protocol to TCP.
---
-Apache Log4j 2.16.0 requires a minimum of Java 8 to build and run. Log4j
2.12.1 is the last release to support
+Apache Log4j 2.17.0 requires a minimum of Java 8 to build and run. Log4j
2.12.1 is the last release to support
Java 7. Java 7 is not longer supported by the Log4j team.
For complete information on Apache Log4j 2, including instructions on how to
submit bug
reports, patches, or suggestions for improvement, see the Apache Apache Log4j
2 website:
https://logging.apache.org/log4j/2.x/
+
diff --git a/src/changes/announcement.vm b/src/changes/announcement.vm
index 64f15d0..352e27a 100644
--- a/src/changes/announcement.vm
+++ b/src/changes/announcement.vm
@@ -20,19 +20,19 @@
#set($relVersion=$announceParameters.releaseVersion)
#set($relCount=$announceParameters.releaseCount)
#macro(formatAction $item)
-## Use replaceAll to fix up LF-only line ends on Windows.
-## Also replace < and > with entity versions to avoid HTML being
misinterpreted.
-#set($action=$item.action.replaceAll("\n","
+ ## Use replaceAll to fix up LF-only line ends on Windows.
+ ## Also replace < and > with entity versions to avoid HTML being
misinterpreted.
+ #set($action=$item.action.replaceAll("\n","
").replaceAll("<", "<").replaceAll(">", ">"))
-#if($item.issue)
-#set($issue = $item.issue)
-#set($url = "https://issues.apache.org/jira/browse/$issue";)
-#else
-#set($issue = "")
-#end
+ #if($item.issue)
+ #set($issue = $item.issue)
+ #set($url = "https://issues.apache.org/jira/browse/$issue";)
+ #else
+ #set($issue = "")
+ #end
* #if($issue)[$issue]($url):#end
-${action}#if($item.dueTo) Thanks to ${item.dueTo}.#end
+ ${action}#if($item.dueTo) Thanks to ${item.dueTo}.#end
#end
## -----------------------------------------
@@ -65,7 +65,11 @@ temporary objects) while logging. In addition, Log4j 2 will
not lose events whil
The artifacts may be downloaded from
https://logging.apache.org/log4j/2.x/download.html.
-This release contains one change which is noted below.
+This release contains the changes noted below:
+
+* Address CVE-2021-45105.
+* Require components that use JNDI to be enabled individually via system
properties.
+* Remove LDAP and LDAPS as supported protocols from JNDI.
Due to a break in compatibility in the SLF4J binding, Log4j now ships with two
versions of the SLF4J to Log4j adapters.
log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and
log4j-slf4j18-impl should be used with SLF4J 1.8.x and
@@ -74,14 +78,10 @@ https://jira.qos.ch/browse/SLF4J-511.
Some of the changes in Log4j ${relVersion} include:
-* Remove Message Lookups.
-* While release 2.15.0 removed the ability to resolve Lookups and log messages
and addressed issues with how JNDI
-is accessed, the Log4j team feels that having JNDI enabled by default
introduces an undue risk for our users.
-Starting in version 2.16.0, JNDI functionality is disabled by default and can
be re-enabled via the
-`log4j2.enableJndi` system property. Use of JNDI in an unprotected context is
a large security risk and
-should be treated as such in both this library and all other Java libraries
using JNDI.
-* Prior to version 2.15.0, Log4j would automatically resolve Lookups contained
in the message or its parameters in the
-Pattern Layout. This behavior is no longer the default and must be enabled by
specifying %msg{lookup}.
+* Disable recursive evaluation of Lookups during log event processing.
Recursive evaluation is still allwoed while
+generating the configuration.
+* The JndiLookup, JndiContextSelector, and JMSAppender now require individual
system properties to be enabled.
+* Removed support for the LDAP and LDAPS protocols via JNDI.
The Log4j ${relVersion} API, as well as many core components, maintains binary
compatibility with previous releases.
@@ -132,3 +132,4 @@ For complete information on ${project.name}, including
instructions on how to su
reports, patches, or suggestions for improvement, see the Apache
${project.name} website:
${project.url}
+
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 2f9473b..2dbd9ef 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -33,7 +33,7 @@
<action issue="LOG4J2-3230" dev="ckozak" type="fix">
Fix string substitution recursion.
</action>
- <action issue="LOG4J2-3242" dev="rgoers, ggregory" type="fix">
+ <action issue="LOG4J2-3242" dev="rgoers" type="fix">
Limit JNDI to the java protocol only. JNDI will remain disabled by
default. Rename JNDI enablement property from
'log4j2.enableJndi' to 'log4j2.enableJndiLookup',
'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'.
</action>
