This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push:
new 9c13b8bbac Prepare for release 2.19.0
9c13b8bbac is described below
commit 9c13b8bbac92db5d05dae15cd40dfcc42bf0276f
Author: Ralph Goers <[email protected]>
AuthorDate: Fri Sep 9 00:03:55 2022 -0700
Prepare for release 2.19.0
---
RELEASE-NOTES.md | 152 ++++++++++++++----------------------------
pom.xml | 2 +-
src/changes/announcement.vm | 5 +-
src/changes/changes.xml | 2 +-
src/site/markdown/security.md | 26 ++++++--
5 files changed, 76 insertions(+), 111 deletions(-)
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index 6d696d7625..d705f3ab46 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -14,9 +14,9 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-# Apache Log4j 2.18.0 Release Notes
+# Apache Log4j 2.19.0 Release Notes
-The Apache Log4j 2 team is pleased to announce the Log4j 2.18.0 release!
+The Apache Log4j 2 team is pleased to announce the Log4j 2.19.0 release!
Apache Log4j is a well known framework for logging application behavior. Log4j
2 is an upgrade
to Log4j that provides significant improvements over its predecessor, Log4j
1.x, and provides
@@ -30,123 +30,71 @@ The artifacts may be downloaded from
https://logging.apache.org/log4j/2.x/downlo
This release primarily contains bug fixes and minor enhancements.
Due to a break in compatibility in the SLF4J binding, Log4j now ships with two
versions of the SLF4J to Log4j adapters.
-log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and
log4j-slf4j18-impl should be used with SLF4J 1.8.x and
-later. SLF4J-2.0.0 alpha releases are not fully supported. See
https://issues.apache.org/jira/browse/LOG4J2-2975 and
-https://jira.qos.ch/browse/SLF4J-511.
+log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and
log4j-slf4j2-impl should be used with SLF4J 2.x and
+later. SLF4J-1.8.x is no longer supported as a GA release never occurred.
-The Log4j 2.18.0 API, as well as many core components, maintains binary
compatibility with previous releases.
+The Log4j 2.19.0 API, as well as many core components, maintains binary
compatibility with previous releases.
-## GA Release 2.18.0
+## GA Release 2.19.0
Changes in this version include:
### New Features
-* [LOG4J2-3495](https://issues.apache.org/jira/browse/LOG4J2-3495):
-Add MutableThreadContextMapFilter.
-* [LOG4J2-3472](https://issues.apache.org/jira/browse/LOG4J2-3472):
-Add support for custom LMAX disruptor WaitStrategy configuration.
-* [LOG4J2-3419](https://issues.apache.org/jira/browse/LOG4J2-3419):
-Add support for custom Log4j 1.x levels.
-* [LOG4J2-3440](https://issues.apache.org/jira/browse/LOG4J2-3440):
-Add support for adding and retrieving appenders in Log4j 1.x bridge.
-* [LOG4J2-3362](https://issues.apache.org/jira/browse/LOG4J2-3362):
-Add support for Jakarta Mail API in the SMTP appender.
-* [LOG4J2-3483](https://issues.apache.org/jira/browse/LOG4J2-3483):
-Add support for Apache Extras' RollingFileAppender in Log4j 1.x bridge.
-* [LOG4J2-3538](https://issues.apache.org/jira/browse/LOG4J2-3538):
-Add support for 24 colors in highlighting Thanks to Pavel_K.
+* [LOG4J2-3583](https://issues.apache.org/jira/browse/LOG4J2-3583):
+Add support for SLF4J2 stack-valued MDC. Thanks to Pierrick Terrettaz.
+* [LOG4J2-2975](https://issues.apache.org/jira/browse/LOG4J2-2975):
+Add implementation of SLF4J2 fluent API. Thanks to Daniel Gray.
### Fixed Bugs
-* [LOG4J2-3339](https://issues.apache.org/jira/browse/LOG4J2-3339):
-DirectWriteRolloverStrategy should use the current time when creating files.
-* [LOG4J2-3534](https://issues.apache.org/jira/browse/LOG4J2-3534):
-Fix LevelRangeFilterBuilder to align with log4j1's behavior.
-* [LOG4J2-3527](https://issues.apache.org/jira/browse/LOG4J2-3527):
-Don't use Paths.get() to avoid circular file systems.
-* [LOG4J2-3490](https://issues.apache.org/jira/browse/LOG4J2-3490):
-The DirectWriteRolloverStrategy was not detecting the correct index to use
during startup.
-* [LOG4J2-3432](https://issues.apache.org/jira/browse/LOG4J2-3432):
-SizeBasedTriggeringPolicy would fail to rename files properly when integer
pattern contained a leading zero.
-* [LOG4J2-3491](https://issues.apache.org/jira/browse/LOG4J2-3491):
-Async Loggers were including the location information by default. Thanks to
Avihai Marchiano.
-* [LOG4J2-1376](https://issues.apache.org/jira/browse/LOG4J2-1376):
-Allow enterprise id to be an OID fragment.
-* [LOG4J2-3493](https://issues.apache.org/jira/browse/LOG4J2-3493):
-ClassArbiter's newBuilder method referenced the wrong class. Thanks to Dmytro
Voloshyn.
-* [LOG4J2-3481](https://issues.apache.org/jira/browse/LOG4J2-3481):
-HttpWatcher did not pass credentials when polling.
-* [LOG4J2-3482](https://issues.apache.org/jira/browse/LOG4J2-3482):
-UrlConnectionFactory.createConnection now accepts an AuthorizationProvider as
a parameter.
-* [LOG4J2-3477](https://issues.apache.org/jira/browse/LOG4J2-3477):
-Add the missing context stack to JsonLayout template. Thanks to filipc.
-* [LOG4J2-3393](https://issues.apache.org/jira/browse/LOG4J2-3393):
-Improve JsonTemplateLayout performance.
-* [LOG4J2-3424](https://issues.apache.org/jira/browse/LOG4J2-3424):
-Properties defined in configuration using a value attribute (as opposed to
element) are read correctly.
-* [LOG4J2-3413](https://issues.apache.org/jira/browse/LOG4J2-3413):
-Fix resolution of non-Log4j properties.
-* [LOG4J2-3423](https://issues.apache.org/jira/browse/LOG4J2-3423):
-JAR file containing Log4j configuration isn't closed. Thanks to Radim Tlusty.
-* [LOG4J2-3425](https://issues.apache.org/jira/browse/LOG4J2-3425):
-Syslog appender lacks the SocketOptions setting. Thanks to Jiří Smolík.
-* [](https://issues.apache.org/jira/browse/LOG4J2-3425):
-Improve validation and reporting of configuration errors.
-* [](https://issues.apache.org/jira/browse/LOG4J2-3425):
-Log4j 1.2 bridge should generate Log4j 2.x messages based on the parameter
runtime type.
-* [LOG4J2-3426](https://issues.apache.org/jira/browse/LOG4J2-3426):
-Log4j 1.2 bridge should not wrap components unnecessarily. Thanks to Pooja
Pandey.
-* [LOG4J2-3418](https://issues.apache.org/jira/browse/LOG4J2-3418):
-Fixes Spring Boot logging system registration in a multi-application
environment.
-* [LOG4J2-3040](https://issues.apache.org/jira/browse/LOG4J2-3040):
-Avoid ClassCastException in JeroMqManager with custom LoggerContextFactory
#791. Thanks to LF-Lin.
-* [](https://issues.apache.org/jira/browse/LOG4J2-3040):
-Fix minor typo #792. Thanks to LF-Lin.
-* [LOG4J2-3439](https://issues.apache.org/jira/browse/LOG4J2-3439):
-Fixes default SslConfiguration, when a custom keystore is used. Thanks to
Jayesh Netravali.
-* [LOG4J2-3447](https://issues.apache.org/jira/browse/LOG4J2-3447):
-Fixes appender concurrency problems in Log4j 1.x bridge. Thanks to Pooja
Pandey.
-* [LOG4J2-3452](https://issues.apache.org/jira/browse/LOG4J2-3452):
-Fix and test for race condition in FileUtils.mkdir(). Thanks to Stefan Vodita.
-* [LOG4J2-3458](https://issues.apache.org/jira/browse/LOG4J2-3458):
-LocalizedMessage logs misleading errors on the console.
-* [LOG4J2-3359](https://issues.apache.org/jira/browse/LOG4J2-3359):
-Fixes the syslog appender in Log4j 1.x bridge, when used with a custom layout.
Thanks to Tukesh.
-* [LOG4J2-3359](https://issues.apache.org/jira/browse/LOG4J2-3359):
-log4j-1.2-api 2.17.2 throws NullPointerException while removing appender with
name as null. Thanks to Rajesh.
-* [LOG4J2-2872](https://issues.apache.org/jira/browse/LOG4J2-2872):
-Fix problem with non-uppercase custom levels. Thanks to Alla Gofman.
-* [LOG4J2-3475](https://issues.apache.org/jira/browse/LOG4J2-3475):
-Add missing message parameterization in RegexFilter. Thanks to Jeremy Lin.
-* [LOG4J2-3428](https://issues.apache.org/jira/browse/LOG4J2-3428):
-Update 3rd party dependencies for 2.18.0.
-* [LOG4J2-3531](https://issues.apache.org/jira/browse/LOG4J2-3531):
-Fix parsing error, when XInclude is disabled. Thanks to Simo Nikula.
-* [LOG4J2-3537](https://issues.apache.org/jira/browse/LOG4J2-3537):
-Fixes problem with wrong ANSI escape code for bright colors Thanks to Pavel_K.
+* [LOG4J2-3578](https://issues.apache.org/jira/browse/LOG4J2-3578):
+Generate new SSL certs for testing.
+* [LOG4J2-3556](https://issues.apache.org/jira/browse/LOG4J2-3556):
+Make JsonTemplateLayout stack trace truncation operate for each label block.
Thanks to Arthur Gavlyukovskiy.
+* [LOG4J2-3550](https://issues.apache.org/jira/browse/LOG4J2-3550):
+SystemPropertyArbiter was assigning the value as the name. Thanks to
DongjianPeng.
+* [LOG4J2-3560](https://issues.apache.org/jira/browse/LOG4J2-3560):
+Logger$PrivateConfig.filter(Level, Marker, String) was allocating empty
varargs array. Thanks to David Schlosnagle.
+* [LOG4J2-3561](https://issues.apache.org/jira/browse/LOG4J2-3561):
+Allows a space separated list of style specifiers in the %style pattern for
consistency with %highlight. Thanks to Robert Papp.
+* [LOG4J2-3564](https://issues.apache.org/jira/browse/LOG4J2-3564):
+Fix NPE in `log4j-to-jul` in the case the root logger level is null.
+* [LOG4J2-3545](https://issues.apache.org/jira/browse/LOG4J2-3545):
+Add correct manifest entries for OSGi to log4j-jcl Thanks to Johan Compagner.
+* [LOG4J2-3565](https://issues.apache.org/jira/browse/LOG4J2-3565):
+Fix RollingRandomAccessFileAppender with DirectWriteRolloverStrategy can't
create the first log file of different directory.
+* [LOG4J2-3579](https://issues.apache.org/jira/browse/LOG4J2-3579):
+Fix ServiceLoaderUtil behavior in the presence of a SecurityManager. Thanks to
Boris Unckel.
+* [LOG4J2-3559](https://issues.apache.org/jira/browse/LOG4J2-3559):
+Fix resolution of properties not starting with `log4j2.`. Thanks to Gary
Gregory.
+* [LOG4J2-3557](https://issues.apache.org/jira/browse/LOG4J2-3557):
+Fix recursion between Log4j 1.2 LogManager and Category. Thanks to Andreas
Leitgeb.
+* [LOG4J2-3587](https://issues.apache.org/jira/browse/LOG4J2-3587):
+Fix regression in Rfc5424Layout default values. Thanks to Tomas Micko.
+* [LOG4J2-3548](https://issues.apache.org/jira/browse/LOG4J2-3548):
+Improve support for passwordless keystores. Thanks to Kristof Farkas-Pall.
### Changes
-* [LOG4J2-3536](https://issues.apache.org/jira/browse/LOG4J2-3536):
-Upgrade the Flume Appender to Flume 1.10.0
-* [LOG4J2-3516](https://issues.apache.org/jira/browse/LOG4J2-3516):
-Move perf tests to log4j-core-its
-* [LOG4J2-3506](https://issues.apache.org/jira/browse/LOG4J2-3506):
-Support Spring 2.6.x.
-* [LOG4J2-3473](https://issues.apache.org/jira/browse/LOG4J2-3473):
-Make the default disruptor WaitStrategy used by Async Loggers garbage-free.
-* [LOG4J2-3476](https://issues.apache.org/jira/browse/LOG4J2-3476):
-Do not throw UnsupportedOperationException when JUL ApiLogger::setLevel is
called.
-* [LOG4J2-3427](https://issues.apache.org/jira/browse/LOG4J2-3427):
-Improves ServiceLoader support on servlet containers.
-
+* [LOG4J2-3572](https://issues.apache.org/jira/browse/LOG4J2-3572):
+Add getExlicitLevel method to LoggerConfig.
+* [LOG4J2-3589](https://issues.apache.org/jira/browse/LOG4J2-3589):
+Allow Plugins to be injected with the LoggerContext reference.
+* [LOG4J2-3588](https://issues.apache.org/jira/browse/LOG4J2-3588):
+Allow PropertySources to be added.
+
+### Removed
+* [LOG4J2-3573](https://issues.apache.org/jira/browse/LOG4J2-3573):
+Removed build page in favor of a single build instructions file. Thanks to
Wolff Bock von Wuelfingen.
+* [LOG4J2-3590](https://issues.apache.org/jira/browse/LOG4J2-3590):
+Remove SLF4J 1.8.x binding.
---
-Apache Log4j 2.18.0 requires a minimum of Java 8 to build and run.
+Apache Log4j 2.19.0 requires a minimum of Java 8 to build and run.
Log4j 2.12.4 is the last release to support Java 7.
Log4j 2.3.2 is the last release to support Java 6.
Java 6 and Java 7 are no longer supported by the Log4j team.
For complete information on Apache Log4j 2, including instructions on how to
submit bug
-reports, patches, or suggestions for improvement, see the Apache Log4j 2
website:
+reports, patches, or suggestions for improvement, see the Apache Apache Log4j
2 website:
https://logging.apache.org/log4j/2.x/
diff --git a/pom.xml b/pom.xml
index b139e16e21..446cea3d17 100644
--- a/pom.xml
+++ b/pom.xml
@@ -229,7 +229,7 @@
<properties>
<!-- make sure to update these for each release! -->
<log4jParentDir>${basedir}</log4jParentDir>
- <Log4jReleaseVersion>2.18.0</Log4jReleaseVersion>
+ <Log4jReleaseVersion>2.19.0</Log4jReleaseVersion>
<Log4jReleaseVersionJava7>2.12.4</Log4jReleaseVersionJava7>
<Log4jReleaseVersionJava6>2.3.2</Log4jReleaseVersionJava6>
<Log4jReleaseManager>Ralph Goers</Log4jReleaseManager>
diff --git a/src/changes/announcement.vm b/src/changes/announcement.vm
index 8372038d69..06423d9e6e 100644
--- a/src/changes/announcement.vm
+++ b/src/changes/announcement.vm
@@ -68,9 +68,8 @@ The artifacts may be downloaded from
https://logging.apache.org/log4j/2.x/downlo
This release primarily contains bug fixes and minor enhancements.
Due to a break in compatibility in the SLF4J binding, Log4j now ships with two
versions of the SLF4J to Log4j adapters.
-log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and
log4j-slf4j18-impl should be used with SLF4J 1.8.x and
-later. SLF4J-2.0.0 alpha releases are not fully supported. See
https://issues.apache.org/jira/browse/LOG4J2-2975 and
-https://jira.qos.ch/browse/SLF4J-511.
+log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and
log4j-slf4j2-impl should be used with SLF4J 2.x and
+later. SLF4J-1.8.x is no longer supported as a GA release never occurred.
The Log4j ${relVersion} API, as well as many core components, maintains binary
compatibility with previous releases.
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index fbb89c5003..38d90f44a5 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -29,7 +29,7 @@
- "update" - Change
- "remove" - Removed
-->
- <release version="2.19.0" date="2022-MM-DD" description="GA Release
2.19.0">
+ <release version="2.19.0" date="2022-09-09" description="GA Release
2.19.0">
<action issue="LOG4J2-3572" dev="rgeors" type="update">
Add getExlicitLevel method to LoggerConfig.
</action>
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index c688ed6b0f..4cf9320cc6 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -137,7 +137,9 @@ Alternatively, this infinite recursion issue can be
mitigated in configuration:
* In PatternLayout in the logging configuration, replace Context Lookups like
`${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X,
%mdc, or %MDC).
* Otherwise, in the configuration, remove references to Context Lookups like
`${ctx:loginId}` or `$${ctx:loginId}` where they originate
-from sources external to the application such as HTTP headers or user input.
+from sources external to the application such as HTTP headers or user input.
Note that this mitigation is insufficient in
+releases older than 2.12.2 (Java 7), and 2.16.0 (Java 8 and later) as the
issues fixed in those releases will
+still be present.
Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR file
are not impacted by this vulnerability.
@@ -188,7 +190,10 @@ It was found that the fix to address
[CVE-2021-44228](https://cve.mitre.org/cgi-
When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, $${ctx:loginId}),
attackers with control over Thread Context Map (MDC) input data can craft
malicious input data using a JNDI Lookup pattern,
resulting in an information leak and remote code execution in some
environments and local code execution in all environments;
-remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and
Alpine Linux.
+remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and
Alpine Linux.
+
+Note that this vulnerability is not limited to just the JDNI lookup. Any other
Lookup could also be included in a
+Thread Context Map variable and possibly have private details exposed to
anyone with access to the logs.
### Mitigation
@@ -203,6 +208,11 @@ Implement one of the following mitigation techniques:
* Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for
Java 8 and later).
* Otherwise, in any release other than 2.16.0, you may remove the `JndiLookup`
class from the classpath: `zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class`
+Users are advised that while removing the JndiLookup class prevents a
potential RCE from occuring, it still leaves
+the application vulnerable to other misuse of Lookups in Thread Context Map
data. While the mitigations listed below in
+the history section help in some situations, the only real solution is to
upgarde to one of the releases listed in the
+first bullet above (or a newer release).
+
Users are advised not to enable JNDI in Log4j 2.16.0, since it still allows
LDAP connections.
If the JMS Appender is required, use one of these versions: 2.3.1, 2.12.2,
2.12.3 or 2.17.0:
from these versions onwards, only the JAVA protocol is supported in JNDI
connections.
@@ -280,7 +290,9 @@ Additional vulnerability details discovered independently
by Ash Fox of Google,
## <a name="log4j-2.15.0"/> Fixed in Log4j 2.15.0 (Java 8)
[CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228):
Apache Log4j2 JNDI
-features do not protect against attacker controlled LDAP and other JNDI
related endpoints.
+features do not protect against attacker controlled LDAP and other JNDI
related endpoints. Log4j2 allows
+Lookup expressions in the data being logged exposing the JNDI vulnerability,
as well as other problems,
+to be exploited by end users whose input is being logged.
|[CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)
| Remote Code Execution |
| ----------------- | -------- |
@@ -293,7 +305,7 @@ In Apache Log4j2 versions up to and including 2.14.1
(excluding security release
the JNDI features used in configurations, log messages, and parameters do not
protect against attacker-controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute
-arbitrary code loaded from LDAP servers when message lookup substitution is
enabled.
+arbitrary code loaded from LDAP servers when message lookup substitution is
enabled.
### Mitigation
@@ -312,6 +324,12 @@ Implement one of the following mitigation techniques:
* Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for
Java 8 and later).
* Otherwise, in any release other than 2.16.0, you may remove the `JndiLookup`
class from the classpath: `zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class`
+Note that simply removing the JndiLookup only resolves one of the two bugs
exposed in CVE-2021-44228. This still
+allows users to enter lookup strings into input fields and cause them to be
evaluated, which can cause StackOverflowExceptions
+or potentially expose private data to anyone provided access to the logs.
While the mitigations listed below in the
+history section help in some situations, the only real solution is to upgarde
to one of the releases listed in the
+first bullet above (or a newer release).
+
Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR file
are not impacted by this vulnerability.
