This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch 2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/2.x by this push:
new b1437003da Port new Download and Installation pages to `2.x` (#2487)
b1437003da is described below
commit b1437003da7e6c958955778f107b13a6d13555ba
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Mon Apr 22 12:58:34 2024 +0200
Port new Download and Installation pages to `2.x` (#2487)
Co-authored-by: Volkan Yazıcı <[email protected]>
---
antora-playbook.yaml | 10 +-
pom.xml | 38 ++
src/site/antora/antora.tmpl.yml | 13 +-
src/site/antora/antora.yml | 13 +-
src/site/antora/modules/ROOT/nav.adoc | 5 +-
src/site/antora/modules/ROOT/pages/download.adoc | 233 +------
src/site/antora/modules/ROOT/pages/index.adoc | 31 +-
.../modules/ROOT/pages/manual/installation.adoc | 710 +++++++++++++++++++++
.../antora/modules/ROOT/pages/manual/logsep.adoc | 6 +-
src/site/antora/modules/ROOT/pages/security.adoc | 320 ----------
src/site/antora/modules/ROOT/pages/support.adoc | 145 -----
11 files changed, 814 insertions(+), 710 deletions(-)
diff --git a/antora-playbook.yaml b/antora-playbook.yaml
index 607c05b705..0b8db66622 100644
--- a/antora-playbook.yaml
+++ b/antora-playbook.yaml
@@ -77,11 +77,19 @@ ui:
<!-- `@asciidoctor/tabs` extension styles -->
<link rel="stylesheet" href="{{{uiRootPath}}}/css/vendor/tabs.css">
<style>
+ /* Default `h4` and `h5` are smaller than the normal text, fix
header font sizing: */
+ .doc h1 { font-size: 1.9rem; }
+ .doc h2 { font-size: 1.7rem; }
+ .doc h3 { font-size: 1.5rem; font-weight: 400; }
+ .doc h4 { font-size: 1.3rem; font-weight: 500; }
+ .doc h5 { font-size: 1.1rem; font-weight: 500; text-decoration:
underline; }
+ /* Tab header fonts aren't rendered good, adjusting the font weight:
*/
+ .tablist > ul li { font-weight: 500; }
/* `page-toclevels` greater than 4 are not supported by Antora UI,
patching it: */
.toc .toc-menu li[data-level="4"] a {
padding-left: 2.75rem
}
- /* Replace the default highlight.js color for strings from red to
green: */
+ /* Replace the default highlight.js color for strings from red
(unnecessarily signaling something negative) to green: */
.hljs-string {
color: #0f8532;
}
diff --git a/pom.xml b/pom.xml
index 65e6723903..a70186b600 100644
--- a/pom.xml
+++ b/pom.xml
@@ -331,9 +331,13 @@
<!-- Skipping `maven-site-plugin` globally. -->
<maven.site.skip>true</maven.site.skip>
<maven.site.deploy.skip>true</maven.site.deploy.skip>
+ <site-commons-logging.version>1.3.1</site-commons-logging.version>
+ <site-jackson.version>2.17.0</site-jackson.version>
<site-log4j-api.version>2.23.1</site-log4j-api.version>
<site-log4j-core.version>2.23.1</site-log4j-core.version>
<site-log4j-layout-template-json.version>2.23.1</site-log4j-layout-template-json.version>
+ <site-logback.version>1.5.5</site-logback.version>
+ <site-slf4j.version>2.0.13</site-slf4j.version>
<!-- =====================================================
Direct dependency version properties (in alphabetical order)
@@ -672,21 +676,55 @@
We need these `<dependency>` entries to trick `dependabot` to
update the version properties automatically.
No, we cannot use `${project.version}`, because it is not
released yet. -->
<dependencies>
+
+ <!-- Log4j component dependencies.
+ No, we cannot use `${project.version}`, because it is not
released yet. -->
+
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${site-log4j-api.version}</version>
</dependency>
+
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${site-log4j-core.version}</version>
</dependency>
+
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-layout-template-json</artifactId>
<version>${site-log4j-layout-template-json.version}</version>
</dependency>
+
+ <!-- Other dependencies -->
+
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <version>${site-commons-logging.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>com.fasterxml.jackson</groupId>
+ <artifactId>jackson-bom</artifactId>
+ <version>${site-jackson.version}</version>
+ <type>pom</type>
+ </dependency>
+
+ <dependency>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-core</artifactId>
+ <version>${site-logback.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>${site-slf4j.version}</version>
+ </dependency>
+
</dependencies>
<executions>
diff --git a/src/site/antora/antora.tmpl.yml b/src/site/antora/antora.tmpl.yml
index 01edf16908..c62fb0f3ef 100644
--- a/src/site/antora/antora.tmpl.yml
+++ b/src/site/antora/antora.tmpl.yml
@@ -38,13 +38,20 @@ version: ~
start_page: index.adoc
asciidoc:
attributes:
- log4j-api-version: "${site-log4j-api.version}"
- log4j-core-version: "${site-log4j-core.version}"
- log4j-layout-template-json-version:
"${site-log4j-layout-template-json.version}"
+ # Commons
project-github-url: "${scm.url}"
project-name: "Log4j"
project-id: "log4j"
java-target-version: "${maven.compiler.target}"
java-compiler-version: "${minimalJavaBuildVersion}"
+ logging-services-url: "https://logging.apache.org";
+ # Dependency versions
+ commons-logging-version: "${site-commons-logging.version}"
+ jackson-version: "${site-jackson.version}"
+ log4j-api-version: "${log4j-api.version}"
+ log4j-core-version: "${site-log4j-core.version}"
+ log4j-layout-template-json-version:
"${site-log4j-layout-template-json.version}"
+ logback-version: "${site-logback.version}"
+ slf4j-version: "${site-slf4j.version}"
nav:
- modules/ROOT/nav.adoc
diff --git a/src/site/antora/antora.yml b/src/site/antora/antora.yml
index 4b404c7bd6..b7d1fbe16e 100644
--- a/src/site/antora/antora.yml
+++ b/src/site/antora/antora.yml
@@ -38,13 +38,20 @@ version: ~
start_page: index.adoc
asciidoc:
attributes:
- log4j-api-version: "1.2.3-api"
- log4j-core-version: "1.2.3-core"
- log4j-layout-template-json-version: "1.2.3-layout-template-json"
+ # Commons
project-github-url: "https://github.com/apache/logging-log4j2";
project-name: "Log4j"
project-id: "log4j"
java-target-version: "8"
java-compiler-version: "[17,18)"
+ logging-services-url: "https://logging.apache.org";
+ # Dependency versions
+ commons-logging-version: "1.2.3-commons-logging"
+ jackson-version: "1.2.3-jackson"
+ log4j-api-version: "1.2.3-api"
+ log4j-core-version: "1.2.3-core"
+ log4j-layout-template-json-version: "1.2.3-layout-template-json"
+ logback-version: "1.2.3-logback"
+ slf4j-version: "1.2.3-slf4j"
nav:
- modules/ROOT/nav.adoc
diff --git a/src/site/antora/modules/ROOT/nav.adoc
b/src/site/antora/modules/ROOT/nav.adoc
index 9083676b09..7453e67fd7 100644
--- a/src/site/antora/modules/ROOT/nav.adoc
+++ b/src/site/antora/modules/ROOT/nav.adoc
@@ -18,12 +18,13 @@
* xref:download.adoc[Download]
** xref:runtime-dependencies.adoc[]
** xref:release-notes.adoc[]
-* xref:support.adoc[]
-** xref:security.adoc[]
+* link:{logging-services-url}/support[Support]
+** link:{logging-services-url}/security[Security]
** xref:thanks.adoc[Thanks]
.Learn
* xref:manual/index.adoc[]
+** xref:manual/installation.adoc[]
** xref:manual/architecture.adoc[]
** xref:manual/migration.adoc[]
** xref:manual/api.adoc[]
diff --git a/src/site/antora/modules/ROOT/pages/download.adoc
b/src/site/antora/modules/ROOT/pages/download.adoc
index e9db99093d..0666d48ac9 100644
--- a/src/site/antora/modules/ROOT/pages/download.adoc
+++ b/src/site/antora/modules/ROOT/pages/download.adoc
@@ -15,234 +15,9 @@
limitations under the License.
////
-= Install Apache Log4j
+= Download
-Apache Log4j is distributed under the
-https://www.apache.org/licenses/LICENSE-2.0.html[Apache License, version 2.0].
+You can manually download all published Log4j distributions, verify them, and
see their licensing information by following the instructions in
{logging-services-url}/download.html[the Download page] of
{logging-services-url}[Logging Services].
-[#using-a-build-system]
-== Using a build system
-
-The preferred way to use Log4j in your project is to use a build system as
Maven.
-Please add the following to your build systems configuration file `pom.xml` to
use Log4j.
-
-Log4j needs two dependencies, since it is separated between the API and the
Core.
-
-[tabs%sync]
-====
-Maven::
-+
-.`pom.xml` snippet
-[source,xml,subs="+attributes"]
-----
-<dependencies>
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-api</artifactId>
- <version>{log4j-api-version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-core</artifactId>
- <version>{log4j-core-version}</version>
- </dependency>
-</dependencies>
-----
-
-Gradle::
-+
-.`build.gradle` snippet
-[source,subs="+attributes"]
-----
-compile 'org.apache.logging.log4j:log4j-api:{log4j-api-version}'
-compile 'org.apache.logging.log4j:log4j-core:{log4j-core-version}'
-----
-
-Ivy::
-+
-.`ivy.xml` snippet
-[source,xml,subs="+attributes"]
-----
-<dependencies>
- <dependency org="org.apache.logging.log4j" name="log4j-api"
rev="{log4j-api-version}" />
- <dependency org="org.apache.logging.log4j" name="log4j-core"
rev="{log4j-core-version}" />
-</dependencies>
-----
-====
-
-== Bill of materials
-
-To keep your Log4j module versions in sync with each other, a BOM (Bill of
Material)
-pom.xml file is provided for your convenience. To use this with
https://maven.apache.org/[Maven],
-add the dependency listed below to your `pom.xml` file.
-When you specify the version identifier in this section, you don't have to
specify the version in your `<dependencies/>` section.
-
-[tabs%sync]
-====
-Maven::
-+
-.`pom.xml` snippet
-[source,xml,subs="+attributes"]
-----
-<dependencyManagement>
- <dependencies>
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-bom</artifactId>
- <version>{log4j-core-version}</version>
- <scope>import</scope>
- <type>pom</type>
- </dependency>
- </dependencies>
-</dependencyManagement>
-----
-
-Gradle::
-+
-.`build.gradle` snippet
-[source,subs="+attributes"]
-----
-plugins {
- id 'io.spring.dependency-management' version '1.0.1.RELEASE' //<1>
-}
-
-dependencyManagement {
- imports {
- mavenBom 'org.apache.logging.log4j:log4j-bom:{log4j-core-version}'
- }
-}
-
-dependencies {
- implementation 'org.apache.logging.log4j:log4j-api'
- implementation 'org.apache.logging.log4j:log4j-core'
- // etc.
-}
-----
-<1> The additional
https://github.com/spring-gradle-plugins/dependency-management-plugin[Gradle
plugin] required for dependency management functionality.
-====
-
-== Snapshot builds
-
-You can access the latest development snapshot by using the Maven repository
-`https://repository.apache.org/snapshots` and the current SNAPSHOT version.
-Generally, the master branch will use the next patch version as its snapshot
-version regardless of what the next actual version of Log4j will be. For
example,
-if the latest release were `3.0`, then master would be using the version
-`3.0.1-SNAPSHOT`.
-
-To enable snapshots you'll need to enable Snapshots repositories in your build
system.
-
-[tabs%sync]
-====
-Maven::
-+
-.`pom.xml` snippet
-[source,xml,subs="+attributes"]
-----
-<repositories>
- <repository>
- <id>apache.snapshots</id>
- <name>Apache Snapshot Repository</name>
- <url>https://repository.apache.org/snapshots</url>
- <releases>
- <enabled>false</enabled>
- </releases>
- </repository>
-</repositories>
-----
-
-Gradle::
-+
-.`build.gradle` snippet
-[source,subs="+attributes"]
-----
-repositories {
- mavenCentral()
- maven { url 'https://repository.apache.org/snapshots' }
-}
-----
-
-SBT::
-+
-.`build.sbt` snippet
-[source,subs="+attributes"]
-----
-resolvers += "Apache Snapshot Repository" at
"https://repository.apache.org/snapshots";
-----
-====
-
-== Manual Download
-
-The link in the Mirrors column should display a list of available
-mirrors with a default selection based on your inferred location. If you
-do not see that page, try a different browser. The checksum and
-signature are links to the originals on the main distribution server.
-
-|===
-|Distribution |Mirrors |Checksum |Signature
-
-|Apache Log4j binary (tar.gz)
-|https://www.apache.org/dyn/closer.lua/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-bin.tar.gz[apache-log4j-{log4j-core-version}-bin.tar.gz]
-|https://www.apache.org/dist/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-bin.tar.gz.sha512[apache-log4j-{log4j-core-version}-bin.tar.gz.sha512]
-|https://www.apache.org/dist/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-bin.tar.gz.asc[apache-log4j-{log4j-core-version}-bin.tar.gz.asc]
-
-|Apache Log4j binary (zip)
-|https://www.apache.org/dyn/closer.lua/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-bin.zip[apache-log4j-{log4j-core-version}-bin.zip]
-|https://www.apache.org/dist/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-bin.zip.sha512[apache-log4j-{log4j-core-version}-bin.zip.sha512]
-|https://www.apache.org/dist/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-bin.zip.asc[apache-log4j-{log4j-core-version}-bin.zip.asc]
-
-|Apache Log4j source (tar.gz)
-|https://www.apache.org/dyn/closer.lua/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-src.tar.gz[apache-log4j-{log4j-core-version}-src.tar.gz]
-|https://www.apache.org/dist/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-src.tar.gz.sha512[apache-log4j-{log4j-core-version}-src.tar.gz.sha512]
-|https://www.apache.org/dist/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-src.tar.gz.asc[apache-log4j-{log4j-core-version}-src.tar.gz.asc]
-
-|Apache Log4j source (zip)
-|https://www.apache.org/dyn/closer.lua/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-src.zip[apache-log4j-{log4j-core-version}-src.zip]
-|https://www.apache.org/dist/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-src.zip.sha512[apache-log4j-{log4j-core-version}-src.zip.sha512]
-|https://www.apache.org/dist/logging/log4j/{log4j-core-version}/apache-log4j-{log4j-core-version}-src.zip.asc[apache-log4j-{log4j-core-version}-src.zip.asc]
-|===
-
-It is essential that you verify the integrity of the downloaded files
-using the PGP or SHA512 signatures. Please read
-https://httpd.apache.org/dev/verification.html[Verifying Apache HTTP
-Server Releases] for more information on why you should verify our
-releases.
-
-The PGP signatures can be verified using PGP or GPG. First download the
-https://downloads.apache.org/logging/KEYS[KEYS] as well as the asc
-signature file for the relevant distribution. Make sure you get these
-files from the https://www.apache.org/dist/logging/[main distribution
-directory], rather than from a mirror. Then verify the signatures using
-
-[source,sh,subs=attributes,subs="+attributes"]
-----
-gpg --import KEYS
-gpg --verify apache-log4j-{log4j-core-version}-bin.zip.asc
-----
-
-Alternatively, you can verify the SHA512 signature on the files. A unix
-program called sha512sum is included in many unix distributions.
-
-[#requirements]
-== Requirements
-
-The Apache Log4j runtime requires a minimum of Java 17.
-See the http://logging.apache.org/2.x[Log4j 2 website] for the latest releases
supporting Java 6, 7, and 8.
-
-== Previous Releases
-
-All previous releases of Apache log4j can be found in the
-https://archive.apache.org/dist/logging/log4j/[ASF archive repository]. Of
course, all releases are availble for
-use as dependencies from the
https://search.maven.org/search?q=org.apache.logging.log4j[Maven Central
Repository]
-
-== Using Apache Log4j on your classpath
-
-To use Log4j in your application make sure that the API, Plugins, and Core
-jars are in the application’s classpath. Add the dependencies listed
-below to your classpath.
-
-* log4j-api-{log4j-api-version}.jar
-* log4j-plugins-{log4j-core-version}.jar
-* log4j-core-{log4j-core-version}.jar
-
-You can do this from the command line or a manifest file.
+* Are you looking for **the Log4j installation instructions**? Proceed to
xref:manual/installation.adoc[].
+* Are you looking for the list of changes associated with a particular
release? Proceed to xref:release-notes.adoc[].
diff --git a/src/site/antora/modules/ROOT/pages/index.adoc
b/src/site/antora/modules/ROOT/pages/index.adoc
index b9c3e5e675..879c5ab4cc 100644
--- a/src/site/antora/modules/ROOT/pages/index.adoc
+++ b/src/site/antora/modules/ROOT/pages/index.adoc
@@ -19,15 +19,15 @@
Apache Log4j is a versatile, industrial-grade Java logging framework composed
of an API, its implementation, and components to assist the deployment for
various use cases.
Log4j is
https://security.googleblog.com/2021/12/apache-log4j-vulnerability.html[used by
8% of the Maven ecosystem] and listed as one of
https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit#gid=1024997528[the
top 100 critical open source software projects].
-The project is actively maintained by a link:/team-list.html[team] of several
volunteers and xref:support.adoc[support]ed by a big community.
+The project is actively maintained by a
{logging-services-url}/team-list.html[team] of several volunteers and
{logging-services-url}/support[support]ed by a big community.
[#shortcuts]
== Shortcuts
-- xref:download.adoc#using-a-build-system[How can I add Log4j artifacts to my
Maven/Ivy/Gradle project?]
+- xref:manual/installation.adoc[How can I add Log4j artifacts to my
Maven/Ivy/Gradle project?]
- xref:manual/usage.adoc[How can I use the Log4j API?]
- xref:manual/configuration.adoc[How can I configure my `log4j2.xml`?]
- xref:release-notes.adoc[Where are the release notes?]
-- xref:support.adoc[**I need help!**]
+- {logging-services-url}/support[**I need help!**]
[#features]
== Features
@@ -45,7 +45,7 @@ API separation::
The API for Log4j (i.e., `log4j-api`) is separate from the implementation
(i.e., `log4j-core`) making it clear for application developers which classes
and methods they can use while ensuring forward compatibility.
(See xref:manual/api-separation.adoc[API Separation] for details.)
The Log4j API also provides the most feature rich logging facade in the
market; support for various `Message` types (`Object`, `Map`, etc.) besides
plain `String`, lambda expressions, parametrized logging, markers, levels,
diagnostic contexts (aka. MDC/NDC), etc.
-Check out the xref:manual/api.adoc[Java API], link:/log4j/kotlin[Kotlin API],
and link:/log4j/scala[Scala API] pages for further information.
+Check out the xref:manual/api.adoc[Java API],
{logging-services-url}/log4j/kotlin[Kotlin API], and
{logging-services-url}/log4j/scala[Scala API] pages for further information.
No vendor lock-in::
Even though the Log4j API is implemented by the Log4j at its fullest, users
can choose to use another logging backend.
@@ -60,3 +60,26 @@ Extensibility::
Log4j contains a fully-fledged xref:manual/plugins.adoc[plugin support] that
users can leverage to extend its functionality.
You can easily add your own components (layouts, appenders, filters, etc.) or
customizing existing ones (e.g., adding new directives to the
xref:manual/layouts.adoc#PatternLayout[Pattern] or
xref:manual/json-template-layout.adoc#extending[JSON Template Layout]).
Check out the xref:manual/extending.adoc[Extending Log4j] page.
+
+[#requirements]
+== Requirements
+
+Log4j 2 runtime requires a minimum of Java 8.
+Older versions of Java are supported by previous releases.
+
+[#older-releases]
+== Older releases
+
+Are you looking for old versions of Log4j?
+While we recommend to always use the latest version, you can find the older
versions here:
+
+* {logging-services-url}/1.x/[Log4j 1.x (End of Life, Java 1.4)]
+* {logging-services-url}/2.3.x/[Log4j 2.3.x (Java 6)]
+* {logging-services-url}/2.12.x/[Log4j 2.12.x (Java 7)]
+
+[#compat]
+== Compatibility
+
+The `log4j-1.2-api` module provides compatibility for applications using the
Log4j 1 logging methods.
+Log4j 2 also provides support for Log4j 1 configuration files.
+See xref:manual/migration.adoc#ConfigurationCompatibility[Log4j 2
compatibility with Log4j 1] for more information.
diff --git a/src/site/antora/modules/ROOT/pages/manual/installation.adoc
b/src/site/antora/modules/ROOT/pages/manual/installation.adoc
new file mode 100644
index 0000000000..c2ac9f13c9
--- /dev/null
+++ b/src/site/antora/modules/ROOT/pages/manual/installation.adoc
@@ -0,0 +1,710 @@
+////
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+////
+
+:jcl-link: https://commons.apache.org/proper/commons-logging/[JCL (Apache
Commons Logging)]
+:jpl-link: https://openjdk.org/jeps/264[JPL (Java Platform Logging)]
+:jul-link:
https://docs.oracle.com/en/java/javase/{java-target-version}/core/java-logging-overview.html[JUL
(Java Logging)]
+:logback-link: https://logback.qos.ch/[Logback]
+:slf4j-link: https://www.slf4j.org/[SLF4J]
+:jboss-logging-link: https://github.com/jboss-logging/jboss-logging[JBoss
Logging]
+
+= Installation
+
+In this page we will elaborate on various ways to install Log4j in your
library or application.
+
+[#impatient]
+== For the impatient
+
+Below we share some shortcuts for the impatient.
+
+[WARNING]
+====
+We strongly advise you to skim through this page to get a grip on fundamental
logging concepts and understand which recipe fits to your bill best.
+====
+
+Are you a library developer?::
+You just need to log against xref:#logging-api[a logging API].
+See <<api>>.
+
+Are you an application developer?::
+Your code and libraries it depends on are most probably already logging
against a logging API, you just need to install xref:#logging-impl[a logging
implementation].
+See <<impl-core>>.
+
+Are you a Spring Boot application developer?::
+See <<impl-core-spring-boot>>.
+
+[#concepts]
+== Concepts (APIs, Implementations, and Bridges)
+
+It is crucial to understand certain concepts in logging to be able to talk
about the installation of them.
+
+[#logging-api]
+Logging API::
+A logging API is an interface your code or your dependencies directly logs
against.
+It is implementation agnostic.
+Log4j API, {slf4j-link}, {jul-link}, {jcl-link}, {jpl-link} and
{jboss-logging-link} are major logging APIs.
+
+[#logging-impl]
+Logging implementation::
+A logging implementation is only required at runtime and can be changed
without the need to recompile your software.
+Log4j Core, {jul-link}, {logback-link} are the most well-known logging
implementations.
++
+[TIP]
+====
+Note that JUL and Log4j provide both an API and its implementation.
+In the case of Log4j, the API is called _Log4j API_, and its reference
implementation is called _Log4j Core_.
+====
+
+[#logging-bridge]
+Logging bridge::
+Logging implementations accept input from a single logging API of their
preference; Log4j Core from Log4j API, Logback from SLF4J, etc.
+A logging bridge is a simple logging implementation of a logging API that
forward all messages to a foreign logging API.
+Logging bridges allow a logging implementation to accept input from other
logging APIs that are not their primary logging API.
+For instance, `log4j-slf4j2-impl` _bridges_ SLF4J calls to Log4 API and
effectively enables Log4j Core to accept input from SLF4J.
+
+With this in mind, the type of software you are writing determines whether you
should be installing a logging API, implementation, or bridge:
+
+Libraries::
+only require a logging API and delegate the choice of the implementation to
applications.
+If a logging implementation is required by tests of the library, it should be
in the appropriate test scope.
+
+Applications::
+need a logging implementation, but also bridges of each of the major logging
APIs to support log statements from the libraries they use.
+For instance, your application might be logging against Log4j API and one of
its dependencies against SLF4J.
+In this case, you need to install `log4j-core` and `log4j-slf4j2-impl`.
+(This is an example, we will elaborate on this case more in <<impl-core>>.)
+
+[#requirements]
+== Requirements
+
+The Log4j 2 runtime requires a minimum of Java {java-target-version}.
+See xref:index.adoc#older-releases[older releases] for the latest releases
supporting Java 6 and 7.
+
+[#build-tool]
+== Configuring the build tool
+
+The easiest way to install Log4j is through a build tool such as Maven or
Gradle.
+The rest of the instructions in this page assume you use one of these.
+
+[#bom]
+=== Importing the Bill-of-Materials (aka. BOM)
+
+To keep your Log4j module versions in sync with each other, a BOM (Bill of
Material) file is provided for your convenience.
+You can import the BOM in your build tool of preference:
+
+[tabs]
+====
+Maven::
++
+[source,xml,subs="+attributes"]
+----
+<dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-bom</artifactId>
+ <version>{log4j-core-version}</version>
+ <scope>import</scope>
+ <type>pom</type>
+ </dependency>
+ </dependencies>
+</dependencyManagement>
+----
+
+Gradle::
++
+[source,groovy,subs="+attributes"]
+----
+dependencies {
+ implementation
platform('org.apache.logging.log4j:log4j-bom:{log4j-core-version}')
+}
+----
+====
+
+Once you import the BOM, you don't need to explicitly provide the versions of
the Log4j artifacts managed by it.
+
+In the rest of the explanations, we will assume that the Log4j BOM is imported.
+
+[#snapshots]
+=== Using snapshots
+
+[%collapsible]
+.Do you want to test the latest (**unstable!**) development version? Click
here details.
+====
+
+You can access the latest development snapshots by using the
`https://repository.apache.org/snapshots` repository.
+
+[WARNING]
+=====
+Snapshots are published for development and testing purposes; **they should
not be used at production!**
+=====
+
+[tabs]
+=====
+Maven::
++
+[source,xml]
+----
+<repositories>
+ <repository>
+ <id>apache.snapshots</id>
+ <name>Apache Snapshot Repository</name>
+ <url>https://repository.apache.org/snapshots</url>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
+ </repository>
+</repositories>
+----
+
+Gradle::
++
+[source,groovy]
+----
+repositories {
+ mavenCentral()
+ maven { url 'https://repository.apache.org/snapshots' }
+}
+----
+=====
+====
+
+[#api]
+== Installing Log4j API
+
+The easiest way to install Log4j API is through a dependency management tool
such as Maven or Gradle, by adding the following dependency:
+
+[tabs]
+====
+Maven::
++
+[source,xml]
+----
+<dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-api</artifactId>
+</dependency>
+----
+
+Gradle::
++
+[source,groovy]
+----
+implementation 'org.apache.logging.log4j:log4j-api'
+----
+====
+
+[#impl]
+== Installing a logging implementation
+
+Log4j provides several modules to facilitate deployment of different logging
implementations:
+
+`log4j-core`::
+The reference implementation.
+Refer to <<impl-core>> for the installation instructions.
+
+`log4j-to-jul`::
+The bridge that translates Log4j API calls to {jul-link}.
+See <<impl-jul>> for the installation instructions.
+
+`log4j-to-slf4j`::
+The bridge that translates Log4j API calls to {slf4j-link}.
+Since currently only
+https://logback.qos.ch/[Logback] implements SLF4J natively, refer to
<<impl-logback>> for the installation instructions.
+
+[IMPORTANT]
+====
+In order to ensure that your code does not directly depend on a particular
logging implementation, the logging backend should be put in the appropriate
scope of your dependency manager:
+
+[cols="2,1m,1m"]
+|===
+.2+h| Software type
+2+^h| Build tool
+
+h| Maven
+h| Gradle
+
+| Application
+| runtime
+| runtimeOnly
+
+| Library
+| test
+| testRuntimeOnly
+|===
+====
+
+[#impl-core]
+=== Installing Log4j Core
+
+Log4j Core is the reference logging implementation of the Log4j project.
+It primarily accepts input from Log4j API.
+
+[TIP]
+====
+Do you have a Spring Boot application?
+You can directly skip to xref:#impl-core-spring-boot[].
+====
+
+To install Log4j Core as your logging implementation, you need to add the
following dependency to your application:
+
+[tabs]
+====
+Maven::
++
+[source,xml]
+----
+<dependencies>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-core</artifactId>
+ <scope>runtime</scope>
+ </dependency>
+ <!-- Logging bridges will follow... -->
+</dependencies>
+----
+
+Gradle::
++
+[source,groovy]
+----
+runtimeOnly 'org.apache.logging.log4j:log4j-core'
+// Logging bridges will follow...
+----
+====
+
+[#impl-core-bridges]
+==== Installing bridges
+
+If either your application or one if its dependencies logs against a logging
API that is different from Log4j API, you need to xref:#logging-bridge[bridge]
that API to Log4j API.
+Following sections explain installation of Log4j-provided bridges.
+
+[#impl-core-bridge-slf4j]
+===== Installing SLF4J-to-Log4j bridge
+
+You can translate {slf4j-link} calls to Log4j API using the
`log4j-slf4j2-impl` artifact:
+
+[tabs]
+====
+Maven::
++
+[source,xml]
+----
+<!-- SLF4J-to-Log4j bridge -->
+<dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-slf4j2-impl</artifactId>
+ <scope>runtime</scope>
+</dependency>
+----
+
+Gradle::
++
+[source,groovy]
+----
+runtimeOnly 'org.apache.logging.log4j:log4j-slf4j2-impl' // SLF4J-to-Log4j
bridge
+----
+====
+
+[#impl-core-bridge-jul]
+===== Installing JUL-to-Log4j bridge
+
+You can translate {jul-link} calls to Log4j API using the `log4j-jul` artifact:
+
+[tabs]
+====
+Maven::
++
+[source,xml]
+----
+<!-- JUL-to-Log4j bridge -->
+<dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-jul</artifactId>
+ <scope>runtime</scope>
+</dependency>
+----
+
+Gradle::
++
+[source,groovy]
+----
+runtimeOnly 'org.apache.logging.log4j:log4j-jul' // JUL-to-Log4j bridge
+----
+====
+
+In order to activate the bridge from JUL to Log4j API, you also need to add:
+
+[source]
+----
+-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
+----
+
+to the JVM parameters in your application launcher.
+
+[#impl-core-bridge-jpl]
+===== Installing JPL-to-Log4j bridge
+
+You can translate {jpl-link} calls to Log4j API using the `log4j-jpl` artifact:
+
+[tabs]
+====
+Maven::
++
+[source,xml]
+----
+<!-- JPL-to-Log4j bridge -->
+<dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-jpl</artifactId>
+ <scope>runtime</scope>
+</dependency>
+----
+
+Gradle::
++
+[source,groovy]
+----
+runtimeOnly 'org.apache.logging.log4j:log4j-jpl' // JPL-to-Log4j bridge
+----
+====
+
+[#impl-core-bridge-jcl]
+===== Installing JCL-to-Log4j bridge
+
+Since version `1.3.0`
https://commons.apache.org/proper/commons-logging/[Apache Commons Logging]
natively supports Log4j API.
+
+You can enforce the version of a transitive dependency using the dependency
management mechanism appropriate to your
+build tool:
+
+Maven::
+Maven users should add an entry to the `<dependencyManagement>` section of
their POM file:
++
+[source,xml,subs="+attributes"]
+----
+<dependencyManagement>
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <version>{commons-logging-version}</version>
+ </dependency>
+</dependencyManagement>
+----
+
+Gradle::
++
+Gradle users should refer to the
https://docs.gradle.org/current/userguide/platforms.html#sub:using-platform-to-control-transitive-deps[Using
a platform to control transitive versions] of the Gradle documentation.
+
+[#impl-core-bridge-jboss-logging]
+===== Installing JBoss Logging-to-Log4j bridge
+
+The JBoss Logging API is shipped with an integrated bridge to Log4j API and
requires no steps from your part. See
+https://github.com/jboss-logging/jboss-logging?tab=readme-ov-file#supported-log-managers[Supported
Log Managers] for more information.
+
+[#impl-core-spring-boot]
+==== Installing Log4j Core for Spring Boot applications
+
+Spring Boot users should replace the `spring-boot-starter-logging` dependency
with `spring-boot-starter-log4j2`:
+
+[tabs]
+====
+
+Maven::
++
+[source,xml]
+----
+<dependencies>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter</artifactId>
+ <exclusions>
+ <exclusion>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-logging</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-log4j2</artifactId>
+ <scope>runtime</scope>
+ </dependency>
+</dependencies>
+----
+
+Gradle::
++
+[source,groovy]
+----
+configurations {
+ all.exclude group: 'org.springframework.boot', module:
'spring-boot-starter-logging'
+}
+
+dependencies {
+ runtimeOnly group: 'org.springframework.boot', module:
'spring-boot-starter-log4j2'
+}
+----
+
+====
+
+The `spring-boot-starter-log4j2` artifact will automatically install Log4j
Core, xref:#impl-core-bridge-jul[JUL-to-Log4j bridge], and configure them.
+You don't need to add any other dependency or configure JUL anymore.
+See
https://docs.spring.io/spring-boot/docs/current/reference/html/features.html#features.logging[Spring
Boot Logging documentation] for further information.
+
+[#impl-core-config]
+==== Configuring Log4j Core
+
+As any other logging implementation, Log4j Core needs to be properly
configured.
+Log4j Core supports many different configuration formats: JSON, XML, YAML, and
Java properties.
+To configure Log4j Core, see xref:manual/configuration.adoc[].
+A basic configuration can be obtained by adding one of these files to your
application's classpath:
+
+[tabs]
+====
+
+log4j2.xml::
++
+[source,xml]
+----
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration xmlns="https://logging.apache.org/xml/ns";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="https://logging.apache.org/xml/ns
+
https://logging.apache.org/xml/ns/log4j-config-3.xsd";>
+ <appenders>
+ <Console name="CONSOLE"/>
+ </appenders>
+ <loggers>
+ <root level="INFO">
+ <AppenderRef ref="Console"/>
+ </root>
+ </Loggers>
+</Configuration>
+----
+
+log4j2.json::
++
+[source,json]
+----
+{
+ "Configuration": {
+ "Appenders": {
+ "Console": {
+ "name": "CONSOLE"
+ }
+ },
+ "Loggers": {
+ "Root": {
+ "level": "INFO",
+ "AppenderRef": {
+ "ref": "CONSOLE"
+ }
+ }
+ }
+ }
+}
+----
+
+log4j2.yaml::
++
+[source,yaml]
+----
+Configuration:
+ Appenders:
+ Console:
+ name: CONSOLE
+ Loggers:
+ Root:
+ level: INFO
+ AppenderRef:
+ ref: CONSOLE
+----
+
+log4j2.properties::
++
+[source,properties]
+----
+appender.0.type = Console
+appender.0.name = CONSOLE
+rootLogger.level = INFO
+rootLogger.appenderRef.0.ref = CONSOLE
+----
+
+====
+
+In order to use these formats, the following additional dependencies are
required:
+
+[tabs]
+====
+
+Maven::
++
+[tabs]
+=====
+
+log4j2.xml::
++
+No dependency required.
+
+log4j2.json::
++
+[source,xml,subs="+attributes"]
+----
+<dependency>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-databind</artifactId>
+ <version>{jackson-version}</version>
+ <scope>runtime</scope>
+</dependency>
+----
+
+log4j2.yaml::
++
+[source,xml,subs="+attributes"]
+----
+<dependency>
+ <groupId>com.fasterxml.jackson.dataformat</groupId>
+ <artifactId>jackson-dataformat-yaml</artifactId>
+ <version>{jackson-version}</version>
+ <scope>runtime</scope>
+</dependency>
+----
+
+log4j2.properties::
++
+No dependency required.
+
+=====
+
+Gradle::
++
+[tabs]
+=====
+
+log4j2.xml::
++
+No dependency required.
+
+log4j2.json::
++
+[source,groovy,subs="+attributes"]
+----
+runtimeOnly 'com.fasterxml.jackson.core:jackson-databind:{jackson-version}'
+----
+
+log4j2.yaml::
++
+[source,groovy,subs="+attributes"]
+----
+runtimeOnly
'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:{jackson-version}'
+----
+
+log4j2.properties::
++
+No dependency required.
+
+=====
+====
+
+[#impl-jul]
+=== Installing JUL
+
+[TIP]
+====
+Are you using https://github.com/jboss-logging/jboss-logmanager[JBoss Log
Manager] as your JUL implementation?
+You can skip this section and use the
https://github.com/jboss-logging/log4j2-jboss-logmanager[`log4j2-jboss-logmanager`]
and
https://github.com/jboss-logging/slf4j-jboss-logmanager[`slf4j-jboss-logmanager`]
bridges from the JBoss Logging project instead.
+====
+
+Java Platform contains a very simple logging API and its implementation called
{jul-link}.
+Since it is embedded in the platform, it only requires the addition of bridges
from Log4j API and SLF4J:
+
+[tabs]
+====
+
+Maven::
++
+[source,xml,subs="+attributes"]
+----
+<dependencies>
+ <!-- Log4j-to-JUL bridge -->
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-to-jul</artifactId>
+ <scope>runtime</scope>
+ </dependency>
+ <!-- SLF4J-to-JUL bridge -->
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <version>{slf4j-version}</version>
+ <scope>runtime</scope>
+ </dependency>
+ <!-- ... -->
+</dependencies>
+----
+
+Gradle::
++
+[source,groovy,subs="+attributes"]
+----
+runtimeOnly 'org.apache.logging.log4j:log4j-to-jul' // Log4j-to-JUL bridge
+runtimeOnly 'org.slf4j:slf4j-jdk14:{slf4j-version}' // SLF4J-to-JUL bridge
+----
+
+====
+
+To configure JUL, see
https://docs.oracle.com/en/java/javase/{java-target-version}/docs/api/java.logging/java/util/logging/LogManager.html[`java.util.logging.LogManager`].
+
+[#impl-logback]
+=== Installing Logback
+
+To install https://logback.qos.ch/[Logback] as the logging implementation, you
only need to add a Log4j-to-SLF4J bridge:
+
+[tabs]
+====
+
+Maven::
++
+[source,xml]
+----
+<dependencies>
+ <dependency>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
+ <version>{logback-version}</version>
+ <scope>runtime</scope>
+ </dependency>
+ <!-- Log4j-to-SLF4J bridge -->
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-to-slf4j</artifactId>
+ <scope>runtime</scope>
+ </dependency>
+</dependencies>
+----
+
+Gradle::
++
+[source,groovy,subs="+attributes"]
+----
+runtimeOnly 'ch.qos.logback:logback-classic:{logback-version}'
+runtimeOnly 'org.apache.logging.log4j:log4j-to-slf4j' // Log4j-to-SLF4J bridge
+----
+
+====
+
+To configure Logback, see
https://logback.qos.ch/manual/configuration.html[Logback's configuration
documentation].
diff --git a/src/site/antora/modules/ROOT/pages/manual/logsep.adoc
b/src/site/antora/modules/ROOT/pages/manual/logsep.adoc
index 02772dd55c..69ab01596a 100644
--- a/src/site/antora/modules/ROOT/pages/manual/logsep.adoc
+++ b/src/site/antora/modules/ROOT/pages/manual/logsep.adoc
@@ -99,9 +99,9 @@ system property `log4j2.contextSelector` to
create a single LoggerContext using a single configuration that will be
shared across all applications.
2. Place the logging jars in the container's classpath and use the
-default ClassLoaderContextSelector. Follow the
-xref:manual/webapp.adoc[instructions to initialize Log4j 2 in a web
-application]. Each application can be configured to share the same
+default ClassLoaderContextSelector.
+See the instructions shared in xref:manual/webapp.adoc[Log4j Web].
+Each application can be configured to share the same
configuration used at the container or can be individually configured.
If status logging is set to debug in the configuration there will be
output from when logging is initialized in the container and then again
diff --git a/src/site/antora/modules/ROOT/pages/security.adoc
b/src/site/antora/modules/ROOT/pages/security.adoc
deleted file mode 100644
index 7fe42fe5de..0000000000
--- a/src/site/antora/modules/ROOT/pages/security.adoc
+++ /dev/null
@@ -1,320 +0,0 @@
-////
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-////
-
-:cve-url-prefix: https://nvd.nist.gov/vuln/detail
-
-= Security
-
-The Apache Log4j Security Team takes security seriously.
-This allows our users to place their trust in Log4j for protecting their
mission-critical data.
-In this page we will help you find guidance on security-related issues and
access to known vulnerabilities.
-
-include::_log4j1-eol.adoc[]
-
-[#support]
-== Getting support
-
-If you need help on building or configuring Log4j or other help on following
the instructions to mitigate the known vulnerabilities listed here, please use
our xref:support.adoc#discussions[user support channels].
-
-[TIP]
-====
-If you need to apply a source code patch, use the building instructions for
the Log4j version that you are using.
-These instructions can be found in `BUILDING.adoc` distributed with the
sources.
-====
-
-[#reporting]
-== Reporting vulnerabilities
-
-If you have encountered an unlisted security vulnerability or other unexpected
behaviour that has a security impact, or if the descriptions here are
incomplete, please report them **privately** to
mailto:[email protected][the Log4j Security Team].
-
-[WARNING]
-====
-The threat model that Log4j uses considers configuration files as safe input
controlled by the programmer; **potential vulnerabilities that require the
ability to modify a configuration are not considered vulnerabilities** as the
required access to do so implies the attacker can execute arbitrary code.
-====
-
-[#policy]
-== Vulnerability handling policy
-
-The Apache Log4j Security Team follows the
https://www.apache.org/security/committers.html[ASF Project Security] guide for
handling security vulnerabilities.
-
-Reported security vulnerabilities are subject to voting (by means of
https://logging.apache.org/guidelines.html[_lazy approval_], preferably) in the
private mailto:[email protected][security mailing list] before
creating a CVE and populating its associated content.
-This procedure involves only the creation of CVEs and blocks neither
(vulnerability) fixes, nor releases.
-
-[#vdr]
-== Vulnerability Disclosure Report (VDR)
-
-Starting with version `2.22.0`, Log4j distributes
https://cyclonedx.org/capabilities/vdr[CycloneDX Software Bill of Materials
(SBOM)] along with each deployed artifact.
-Produced SBOMs contain BOM-links referring to a
https://cyclonedx.org/capabilities/vdr[CycloneDX Vulnerability Disclosure
Report (VDR)] that Apache Logging Services uses for all projects it maintains.
-All this is streamlined by `logging-parent`, see
https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom[its website]
for details.
-
-[#vulnerabilities]
-== Known vulnerabilities
-
-The Log4j Security Team believes that accuracy, completeness and availability
of security information is essential for our users.
-We choose to pool all information on this one page, allowing easy searching
for security vulnerabilities over a range of criteria.
-
-[NOTE]
-====
-We adhere to
https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html[the Maven
version range syntax] while sharing versions of affected components.
-We only extend this mathematical notation with set union operator (i.e., `∪`)
to denote union of multiple ranges.
-====
-
-[#CVE-2021-44832]
-=== {cve-url-prefix}/CVE-2021-44832[CVE-2021-44832]
-
-[cols="1h,5"]
-|===
-|Summary |JDBC appender is vulnerable to remote code execution in certain
configurations
-|CVSS 3.x Score & Vector |6.6 MEDIUM
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
-|Components affected |`log4j-core`
-|Versions affected |`[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0, 2.17.1)`
-|Versions fixed |`2.3.2` (for Java 6), `2.12.4` (for Java 7), or `2.17.1` (for
Java 8 and later)
-|===
-
-[#CVE-2021-44832-description]
-==== Description
-
-An attacker with write access to the logging configuration can construct a
malicious configuration using a JDBC Appender with a data source referencing a
JNDI URI which can execute remote code.
-This issue is fixed by limiting JNDI data source names to the `java` protocol.
-
-[#CVE-2021-44832-mitigation]
-==== Mitigation
-
-Upgrade to `2.3.2` (for Java 6), `2.12.4` (for Java 7), or `2.17.1` (for Java
8 and later).
-
-In prior releases confirm that if the JDBC Appender is being used it is not
configured to use any protocol other than `java`.
-
-[#CVE-2021-44832-references]
-==== References
-- {cve-url-prefix}/CVE-2021-44832[CVE-2021-44832]
-
-[#CVE-2021-45105]
-=== {cve-url-prefix}/CVE-2021-45105[CVE-2021-45105]
-
-[cols="1h,5"]
-|===
-|Summary |Infinite recursion in lookup evaluation
-|CVSS 3.x Score & Vector |5.9 MEDIUM
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
-|Components affected |`log4j-core`
-|Versions affected |`[2.0-alpha1, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)`
-|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0`
(for Java 8 and later)
-|===
-
-[#CVE-2021-45105-description]
-==== Description
-
-Log4j versions `2.0-alpha1` through `2.16.0` (excluding `2.3.1` and `2.12.3`),
did not protect from uncontrolled recursion that can be implemented using
self-referential lookups.
-When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, `$${ctx:loginId}`), attackers with control over
Thread Context Map (MDC) input data can craft malicious input data that
contains a recursive lookup, resulting in a `StackOverflowError` that will
terminate the process.
-This is also known as a _DoS (Denial-of-Service)_ attack.
-
-[#CVE-2021-45105-mitigation]
-==== Mitigation
-
-Upgrade to `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for Java
8 and later).
-
-Alternatively, this infinite recursion issue can be mitigated in configuration:
-
-* In PatternLayout in the logging configuration, replace Context Lookups like
`${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (`%X`,
`%mdc`, or `%MDC`).
-* Otherwise, in the configuration, remove references to Context Lookups like
`${ctx:loginId}` or `$${ctx:loginId}` where they originate
-from sources external to the application such as HTTP headers or user input.
-Note that this mitigation is insufficient in releases older than `2.12.2` (for
Java 7), and `2.16.0` (for Java 8 and later) as the issues fixed in those
releases will still be present.
-
-Note that only the `log4j-core` JAR file is impacted by this vulnerability.
-Applications using only the `log4j-api` JAR file without the `log4j-core` JAR
file are not impacted by this vulnerability.
-
-[#CVE-2021-45105-credits]
-==== Credits
-
-Independently discovered by Hideki Okamoto of Akamai Technologies, Guy
Lederfein of Trend Micro Research working with Trend Micro's Zero Day
Initiative, and another anonymous vulnerability researcher.
-
-[#CVE-2021-45105-references]
-==== References
-
-- {cve-url-prefix}/CVE-2021-45105[CVE-2021-45105]
-- https://issues.apache.org/jira/browse/LOG4J2-3230[LOG4J2-3230]
-
-[#CVE-2021-45046]
-=== {cve-url-prefix}/CVE-2021-45046[CVE-2021-45046]
-
-[cols="1h,5"]
-|===
-|Summary |Thread Context Lookup is vulnerable to remote code execution in
certain configurations
-|CVSS 3.x Score & Vector |9.0 CRITICAL
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
-|Components affected |`log4j-core`
-|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)`
-|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0`
(for Java 8 and later)
-|===
-
-[#CVE-2021-45046-description]
-==== Description
-
-It was found that the fix to address <<CVE-2021-44228>> in Log4j `2.15.0` was
incomplete in certain non-default configurations.
-When the logging configuration uses a non-default Pattern Layout with a Thread
Context Lookup (for example, `$${ctx:loginId}`), attackers with control over
Thread Context Map (MDC) can craft malicious input data using a JNDI Lookup
pattern, resulting in an information leak and remote code execution in some
environments and local code execution in all environments.
-Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and
Alpine Linux.
-
-Note that this vulnerability is not limited to just the JNDI lookup.
-Any other Lookup could also be included in a Thread Context Map variable and
possibly have private details exposed to anyone with access to the logs.
-
-Note that only the `log4j-core` JAR file is impacted by this vulnerability.
-Applications using only the `log4j-api` JAR file without the `log4j-core` JAR
file are not impacted by this vulnerability.
-
-[#CVE-2021-45046-mitigation]
-==== Mitigation
-
-Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for
Java 8 and later).
-
-[#CVE-2021-45046-credits]
-==== Credits
-
-This issue was discovered by Kai Mindermann of iC Consult and separately by
4ra1n.
-
-Additional vulnerability details discovered independently by Ash Fox of
Google, Alvaro Muñoz and Tony Torralba from GitHub, Anthony Weems of
Praetorian, and RyotaK (@ryotkak).
-
-[#CVE-2021-45046-references]
-==== References
-
-- {cve-url-prefix}/CVE-2021-45046[CVE-2021-45046]
-- https://issues.apache.org/jira/browse/LOG4J2-3221[LOG4J2-3221]
-
-[#CVE-2021-44228]
-=== {cve-url-prefix}/CVE-2021-44228[CVE-2021-44228]
-
-[cols="1h,5"]
-|===
-|Summary |JNDI lookup can be exploited to execute arbitrary code loaded from
an LDAP server
-|CVSS 3.x Score & Vector |10.0 CRITICAL
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
-|Components affected |`log4j-core`
-|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)`
-|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0`
(for Java 8 and later)
-|===
-
-[#CVE-2021-44228-description]
-==== Description
-
-In Log4j, the JNDI features used in configurations, log messages, and
parameters do not protect against attacker-controlled LDAP and other JNDI
related endpoints.
-An attacker who can control log messages or log message parameters can execute
arbitrary code loaded from LDAP servers.
-
-Note that only the `log4j-core` JAR file is impacted by this vulnerability.
-Applications using only the `log4j-api` JAR file without the `log4j-core` JAR
file are not impacted by this vulnerability.
-
-[#CVE-2021-44228-mitigation]
-==== Mitigation
-
-[#CVE-2021-44228-mitigation-log4j1]
-===== Log4j 1 mitigation
-
-include::_log4j1-eol.adoc[]
-
-Log4j 1 does not have Lookups, so the risk is lower.
-Applications using Log4j 1 are only vulnerable to this attack when they use
JNDI in their configuration.
-A separate CVE ({cve-url-prefix}/CVE-2021-4104[CVE-2021-4104]) has been filed
for this vulnerability.
-To mitigate, audit your logging configuration to ensure it has no
`JMSAppender` configured.
-Log4j 1 configurations without `JMSAppender` are not impacted by this
vulnerability.
-
-[#CVE-2021-44228-mitigation-log4j2]
-===== Log4j 2 mitigation
-
-Upgrade to Log4j `2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for
Java 8 and later).
-
-[#CVE-2021-44228-credits]
-==== Credits
-
-This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.
-
-[#CVE-2021-44228-references]
-==== References
-
-- {cve-url-prefix}/CVE-2021-44228[CVE-2021-44228]
-- https://issues.apache.org/jira/browse/LOG4J2-3198[LOG4J2-3198]
-- https://issues.apache.org/jira/browse/LOG4J2-3201[LOG4J2-3201]
-
-[#CVE-2020-9488]
-=== {cve-url-prefix}/CVE-2020-9488[CVE-2020-9488]
-
-[cols="1h,5"]
-|===
-|Summary |Improper validation of certificate with host mismatch in SMTP
appender
-|CVSS 3.x Score & Vector |3.7 LOW
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
-|Components affected |`log4j-core`
-|Versions affected |`[2.0-beta1, 2.12.3) ∪ [2.13.1, 2.13.2)`
-|Versions fixed |`2.12.3` (Java 7) and `2.13.2` (Java 8 and later)
-|===
-
-[#CVE-2020-9488-description]
-==== Description
-
-Improper validation of certificate with host mismatch in SMTP appender.
-This could allow an SMTPS connection to be intercepted by a man-in-the-middle
attack which could leak any log
-messages sent through that appender.
-
-The reported issue was caused by an error in `SslConfiguration`.
-Any element using `SslConfiguration` in the Log4j `Configuration` is also
affected by this issue.
-This includes `HttpAppender`, `SocketAppender`, and `SyslogAppender`.
-Usages of `SslConfiguration` that are configured via system properties are not
affected.
-
-[#CVE-2020-9488-mitigation]
-==== Mitigation
-
-Upgrade to `2.12.3` (Java 7) or `2.13.2` (Java 8 and later).
-
-Alternatively, users can set the `mail.smtp.ssl.checkserveridentity` system
property to `true` to enable SMTPS hostname verification for all SMTPS mail
sessions.
-
-[#CVE-2020-9488-credits]
-==== Credits
-
-This issue was discovered by Peter Stöckli.
-
-[#CVE-2020-9488-references]
-==== References
-
-- {cve-url-prefix}/CVE-2020-9488[CVE-2020-9488]
-- https://issues.apache.org/jira/browse/LOG4J2-2819[LOG4J2-2819]
-
-[#CVE-2017-5645]
-=== {cve-url-prefix}/CVE-2017-5645[CVE-2017-5645]
-
-[cols="1h,5"]
-|===
-|Summary |TCP/UDP socket servers can be exploited to execute arbitrary code
-|CVSS 2.0 Score & Vector |7.5 HIGH (AV:N/AC:L/Au:N/C:P/I:P/A:P)
-|Components affected |`log4j-core`
-|Versions affected |`[2.0-alpha1, 2.8.2)`
-|Versions fixed |`2.8.2` (Java 7)
-|===
-
-[#CVE-2017-5645-description]
-==== Description
-
-When using the TCP socket server or UDP socket server to receive serialized
log events from another application, a specially crafted binary payload can be
sent that, when deserialized, can execute arbitrary code.
-
-[#CVE-2017-5645-mitigation]
-==== Mitigation
-
-Java 7 and above users should migrate to version `2.8.2` or avoid using the
socket server classes.
-Java 6 users should avoid using the TCP or UDP socket server classes, or they
can manually backport
https://github.com/apache/logging-log4j2/commit/5dcc192[the security fix
commit] from `2.8.2`.
-
-[#CVE-2017-5645-credits]
-==== Credits
-
-This issue was discovered by Marcio Almeida de Macedo of Red Team at Telstra.
-
-[#CVE-2017-5645-references]
-==== References
-
-- {cve-url-prefix}/CVE-2017-5645[CVE-2017-5645]
-- https://issues.apache.org/jira/browse/LOG4J2-1863[LOG4J2-1863]
-- https://github.com/apache/logging-log4j2/commit/5dcc192[Security fix commit]
diff --git a/src/site/antora/modules/ROOT/pages/support.adoc
b/src/site/antora/modules/ROOT/pages/support.adoc
deleted file mode 100644
index 063826da76..0000000000
--- a/src/site/antora/modules/ROOT/pages/support.adoc
+++ /dev/null
@@ -1,145 +0,0 @@
-////
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-////
-
-= Support
-
-The Apache Software Foundation does not employ individuals to develop and
support any of its projects.
-The individuals who contribute to Apache projects do it either as part of
specific tasks assigned to them by their employer, on their own initiative to
benefit their employer, or on their own free time.
-
-[#discussions]
-== User support
-
-If you have questions like:
-
-* _"How do I configure Log4j with the file appender?"_
-* _"My layout is not working as expected; what should I do?"_
-* _"How can I migrate from Log4j 1 with this custom configuration?"_
-
-We urge you to first check our xref:faq.adoc[FAQ] to see if it has already
been answered.
-If not, you can ask your questions on one of our official user support
channels:
-
-* https://github.com/apache/logging-log4j2/discussions[GitHub Discussions]
-* `[email protected]` mailing list (public |
mailto:[email protected][subscribe] |
mailto:[email protected][unsubscribe] |
mailto:[email protected][post] |
https://lists.apache.org/list.html?log4j-user@logging.apache.org[archive])
-
-[WARNING]
-====
-**You are expected to be subscribed** to a mailing list to receive replies to
your posted questions!
-If you are not subscribed, when you post an email, it will be subject to
moderation (hence, will be distributed with a delay) and the only way you would
be able to follow the conversation is to use the mailing list archive.
-====
-
-[WARNING]
-====
-Messages sent to a public mailing list will be seen by many people and also
re-published by 3rd party websites.
-It is usually not possible to remove them.
-Please **don't send mails containing confidential information** to public
mailing lists.
-For more information, please see the
https://privacy.apache.org/policies/privacy-policy-public.html[privacy policy]
-====
-* http://stackoverflow.com[Stack Overflow] (use
http://stackoverflow.com/questions/tagged/log4j[log4j] or
http://stackoverflow.com/questions/tagged/log4j2[log4j2] tags)
-
-== Maintainer discussions
-
-Apache Log4j project officially uses mailing lists for discussions related to
maintenance and development.
-
-[WARNING]
-====
-**You are expected to be subscribed** to a mailing list to receive replies to
your posted questions!
-If you are not subscribed, when you post an email, it will be subject to
moderation (hence, will be distributed with a delay) and the only way you would
be able to follow the conversation is to use the mailing list archive.
-====
-
-If you have questions or feedback like:
-
-* A class should have public visibility instead of package-scoped
-* A plugin is missing configuration options
-* You found a bug
-
-then please contact us using the following mailing lists:
-
-`[email protected]` (public |
mailto:[email protected][subscribe] |
mailto:[email protected][unsubscribe] |
mailto:[email protected][post] |
https://lists.apache.org/list.html?dev@logging.apache.org[archive])::
-For _development_ discussions
-(Please prefix subjects with `[log4j]` when starting a new thread!)
-
-[WARNING]
-====
-Messages sent to a public mailing list will be seen by many people and also
re-published by 3rd party websites.
-It is usually not possible to remove them.
-Please **don't send mails containing confidential information** to public
mailing lists.
-For more information, please see the
https://privacy.apache.org/policies/privacy-policy-public.html[privacy policy]
-====
-
-`[email protected]` (private |
mailto:[email protected][post])::
-For reporting unlisted **security vulnerabilities** or other unexpected
behaviour that has a security impact
-
-`[email protected]` (private |
mailto:[email protected][post])::
-For the discussion of confidential topics within the Apache Logging Services
project management committee.
-
-[#issues]
-== Issues
-
-The Log4j project uses https://github.com/apache/logging-log4j2/issues[GitHub
Issues] as its issue tracking system.
-The old issue tracking system,
https://issues.apache.org/jira/projects/LOG4J2[JIRA], is still accessible,
though only recommended for issues that were already created there.
-
-Issues get resolved in one of the following ways:
-
-. The reporter or another interested party provides
https://github.com/apache/logging-log4j2/pulls[a pull request] tagging the
issue in its title
-. A committer is interested in the issue and decides to work on it
-. The reporter or another interested party sponsors one or more of
xref:#sponsorship[the committers listed below] to encourage them to work on the
issue
-
-Created issues are subject to the following policy:
-
-Quality::
-Issues posted of insufficient quality will be removed
-
-No protracted discussions::
-Issues likely to result in protracted discussion must be posted to the mailing
lists
-
-No Questions::
-Do not post questions as issues!
-These will be removed, and you will be asked to post questions to the mailing
lists instead.
-
-[#sponsorship]
-== Sponsorship
-
-Sponsorship can be used simply as a way to say thank you for the work that has
been done or as a way to encourage specific issues to be worked on.
-In either case, while the Apache Logging Services project thanks you for your
support, we cannot be responsible for any promises and/or contributions made by
an individual committer, as individual commits must be reviewed and accepted by
the project team.
-
-=== Committers accepting GitHub Sponsorship
-
-* https://github.com/carterkozak[Carter Kozak]
-* https://github.com/garydgregory[Gary Gregory]
-* https://github.com/jvz[Matt Sicker]
-* https://github.com/ppkarwasz[Piotr P. Karwasz]
-* https://github.com/rgoers[Ralph Goers]
-* https://github.com/vy[Volkan Yazıcı]
-
-[#commercial]
-== Third-party commercial support
-
-While neither the Apache Software Foundation nor the Apache Logging Services
project provide any commercial support for the Log4j products, individual
committers may collaborate with services that provide such support.
-
-The following aims to be a list of all commercial support services involving
one or more Log4j committers.
-
-https://volkan.yazi.ci[Abstract Dynamics]::
-Consultancy services offered by PMC member
https://www.linkedin.com/in/yazicivo[Volkan Yazıcı]
-
-https://copernik.eu[Copernik]::
-Consultancy services offered by PMC member
https://www.linkedin.com/in/ppkarwasz[Piotr Karwasz]
-
-https://grobmeier.solutions[Grobmeier Solutions]::
-Consultancy services offered by PMC member
https://www.linkedin.com/in/grobmeier/[Christian Grobmeier]
-
-https://tidelift.com[Tidelift]::
-Some Log4j maintainers receive funding from Tidelift for their maintenance
efforts.
