This is an automated email from the ASF dual-hosted git repository.

github-actions[bot] pushed a commit to branch main-site-stg-out
in repository https://gitbox.apache.org/repos/asf/logging-site.git


The following commit(s) were added to refs/heads/main-site-stg-out by this push:
     new 173084a2 Add website content generated from 
`3dc5d3665dc95034a473574613c435666fede7d1`
173084a2 is described below

commit 173084a24c7945650b7e9ca42380a00a5a998c08
Author: ASF Logging Services RM <[email protected]>
AuthorDate: Fri Jul 10 21:10:00 2026 +0000

    Add website content generated from 
`3dc5d3665dc95034a473574613c435666fede7d1`
---
 cyclonedx/vdr.xml |  84 ++++++++++++++++++++++++++++++++++++++++++---
 security.html     | 100 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 sitemap.xml       |  42 +++++++++++------------
 3 files changed, 199 insertions(+), 27 deletions(-)

diff --git a/cyclonedx/vdr.xml b/cyclonedx/vdr.xml
index f7f0739a..861e5d77 100644
--- a/cyclonedx/vdr.xml
+++ b/cyclonedx/vdr.xml
@@ -40,11 +40,11 @@
 <bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
      xmlns="http://cyclonedx.org/schema/bom/1.6";
      xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6 
https://cyclonedx.org/schema/bom-1.6.xsd";
-     version="7"
+     version="8"
      serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06">
 
   <metadata>
-    <timestamp>2026-04-10T11:53:17Z</timestamp>
+    <timestamp>2026-07-10T20:53:31Z</timestamp>
     <manufacturer>
       <name>Apache Logging Services</name>
       <url>https://logging.apache.org</url>
@@ -62,6 +62,12 @@
       <name>Log4cxx</name>
       <purl>pkg:conan/log4cxx</purl>
     </component>
+    <component type="library" bom-ref="log4j-api">
+      <group>org.apache.logging.log4j</group>
+      <name>log4j-api</name>
+      <cpe>cpe:2.3:a:apache:log4j_api:*:*:*:*:*:*:*:*</cpe>
+      <purl>pkg:maven/org.apache.logging.log4j/log4j-api?type=jar</purl>
+    </component>
     <component type="library" bom-ref="log4j-core">
       <group>org.apache.logging.log4j</group>
       <name>log4j-core</name>
@@ -89,6 +95,71 @@
 
   <vulnerabilities>
 
+    <vulnerability>
+        <id>CVE-2026-49844</id>
+        <source>
+            <name>NVD</name>
+            <url>https://nvd.nist.gov/vuln/detail/CVE-2026-49844</url>
+        </source>
+        <ratings>
+            <rating>
+                <source>
+                    <name>The Apache Software Foundation</name>
+                    <url>
+                        
<![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url>
+                </source>
+                <score>6.3</score>
+                <severity>medium</severity>
+                <method>CVSSv4</method>
+                
<vector>AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector>
+            </rating>
+        </ratings>
+        <cwes>
+            <cwe>116</cwe>
+        </cwes>
+        <description><![CDATA[Improper encoding of non-finite floating-point 
values during `MapMessage` JSON serialization in Apache Log4j API produces 
output that is not valid JSON.
+This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 
2.26.0.
+
+The fix for CVE-2026-34481 did not cover all code paths: when a `MapMessage` 
contains a non-finite IEEE 754 value (`NaN`, `Infinity`, or `-Infinity`), 
`MapMessage.asJson()` emits the corresponding bare token.
+RFC 8259 does not permit these tokens, so a conformant parser rejects the 
resulting document.
+
+The defect is reachable only when both of the following conditions hold:
+
+* The application uses the
+https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message[`message`
 resolver]
+of `JsonTemplateLayout`, or any other layout that relies on 
`MapMessage.asJson()` or `MapMessage.getFormattedMessage(new String[] 
{"JSON"})`.
+* The application logs a `MapMessage` that contains an attacker-controlled 
floating-point value.
+
+An attacker who can supply a non-finite value can cause the affected layout to 
emit malformed JSON, which may corrupt the enclosing log record or disrupt 
downstream log ingestion and parsing.]]></description>
+        <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j 
API version `2.25.5` or `2.26.1`, both of which emit RFC 8259-compliant JSON 
for non-finite values.]]></recommendation>
+        <created>2026-07-10T20:53:31Z</created>
+        <published>2026-07-10T20:53:31Z</published>
+        <updated>2026-07-10T20:53:31Z</updated>
+        <credits>
+            <individuals>
+                <individual>
+                    <name>Himanshu Anand</name>
+                </individual>
+            </individuals>
+        </credits>
+        <affects>
+            <target>
+                <ref>log4j-api</ref>
+                <versions>
+                    <version>
+                        <range><![CDATA[vers:maven/>=2.13.1|<2.25.5]]></range>
+                    </version>
+                    <version>
+                        <range><![CDATA[vers:maven/>=2.26.0|<2.26.1]]></range>
+                    </version>
+                    <version>
+                        
<range><![CDATA[vers:maven/>=3.0.0-alpha1|<=3.0.0-beta2]]></range>
+                    </version>
+                </versions>
+            </target>
+        </affects>
+    </vulnerability>
+
     <vulnerability>
         <id>CVE-2026-40023</id>
         <source>
@@ -235,11 +306,14 @@ This may cause downstream log processing systems to 
reject or fail to index affe
 An attacker can exploit this issue only if both of the following conditions 
are met:
 
 * The application uses `JsonTemplateLayout`.
-* The application logs a `MapMessage` containing an attacker-controlled 
floating-point value.]]></description>
-        <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j 
JSON Template Layout version `2.25.4`, which corrects this 
issue.]]></recommendation>
+* The application logs a `MapMessage`, or logs an object directly (e.g., via 
`Logger.info(Object)`, which wraps it in an `ObjectMessage`), where the message 
contains an attacker-controlled floating-point value.]]></description>
+        <recommendation><![CDATA[Users are advised to upgrade to Apache Log4j 
JSON Template Layout version `2.25.4`, which corrects this issue.
+
+NOTE: The fix released in version `2.25.4` did not cover all affected code 
paths.
+CVE-2026-49844 was assigned to the remaining issue, which concerns the 
`MapMessage.asJson()` serialization in Apache Log4j API and is fixed in 
versions `2.25.5` and `2.26.1`.]]></recommendation>
         <created>2026-04-10T11:53:17Z</created>
         <published>2026-04-10T11:53:17Z</published>
-        <updated>2026-04-10T11:53:17Z</updated>
+        <updated>2026-07-10T20:53:31Z</updated>
         <credits>
             <individuals>
                 <individual>
diff --git a/security.html b/security.html
index b0bcbb0f..7d09a47b 100644
--- a/security.html
+++ b/security.html
@@ -788,6 +788,91 @@ We choose to pool all information on this one page, 
allowing easy searching for
 </table>
 </div>
 <div class="sect2">
+<h3 id="CVE-2026-49844"><a class="anchor" href="#CVE-2026-49844"></a><a 
href="https://nvd.nist.gov/vuln/detail/CVE-2026-49844";>CVE-2026-49844</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p 
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Improper 
serialization of non-finite floating-point values in 
<code>MapMessage.asJson()</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x 
Score &amp; Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.3 MEDIUM 
(CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components 
affected</p></th>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>log4j-api</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
affected</p></th>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>[2.13.1, 2.25.5) ∪ [2.26.0, 2.26.1) ∪ [3.0.0-alpha1, 
3.0.0-beta2]</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.25.5</code> and <code>2.26.1</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2026-49844-description"><a class="anchor" 
href="#CVE-2026-49844-description"></a>Description</h4>
+<div class="paragraph">
+<p>Improper encoding of non-finite floating-point values during 
<code>MapMessage</code> JSON serialization in Apache Log4j API produces output 
that is not valid JSON.
+This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 
2.26.0.</p>
+</div>
+<div class="paragraph">
+<p>The fix for <a href="#CVE-2026-34481">CVE-2026-34481</a> did not cover all 
code paths: when a <code>MapMessage</code> contains a non-finite IEEE 754 value 
(<code>NaN</code>, <code>Infinity</code>, or <code>-Infinity</code>), 
<code>MapMessage.asJson()</code> emits the corresponding bare token.
+RFC 8259 does not permit these tokens, so a conformant parser rejects the 
resulting document.</p>
+</div>
+<div class="paragraph">
+<p>The defect is reachable only when both of the following conditions hold:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>The application uses the
+<a 
href="https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message";><code>message</code>
 resolver</a>
+of <code>JsonTemplateLayout</code>, or any other layout that relies on 
<code>MapMessage.asJson()</code> or <code>MapMessage.getFormattedMessage(new 
String[] {"JSON"})</code>.</p>
+</li>
+<li>
+<p>The application logs a <code>MapMessage</code> that contains an 
attacker-controlled floating-point value.</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>An attacker who can supply a non-finite value can cause the affected layout 
to emit malformed JSON, which may corrupt the enclosing log record or disrupt 
downstream log ingestion and parsing.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-49844-remediation"><a class="anchor" 
href="#CVE-2026-49844-remediation"></a>Remediation</h4>
+<div class="paragraph">
+<p>Users are advised to upgrade to Apache Log4j API version 
<code>2.25.5</code> or <code>2.26.1</code>, both of which emit RFC 
8259-compliant JSON for non-finite values.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-49844-credits"><a class="anchor" 
href="#CVE-2026-49844-credits"></a>Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered by Himanshu Anand.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2026-49844-references"><a class="anchor" 
href="#CVE-2026-49844-references"></a>References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a 
href="https://nvd.nist.gov/vuln/detail/CVE-2026-49844";>CVE-2026-49844</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4j2/pull/4163";>Pull request 
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
 <h3 id="CVE-2026-40023"><a class="anchor" href="#CVE-2026-40023"></a><a 
href="https://nvd.nist.gov/vuln/detail/CVE-2026-40023";>CVE-2026-40023</a></h3>
 <table class="tableblock frame-all grid-all stretch">
 <colgroup>
@@ -976,7 +1061,7 @@ This may cause downstream log processing systems to reject 
or fail to index affe
 <p>The application uses <code>JsonTemplateLayout</code>.</p>
 </li>
 <li>
-<p>The application logs a <code>MapMessage</code> containing an 
attacker-controlled floating-point value.</p>
+<p>The application logs a <code>MapMessage</code>, or logs an object directly 
(e.g., via <code>Logger.info(Object)</code>, which wraps it in an 
<code>ObjectMessage</code>), where the message contains an attacker-controlled 
floating-point value.</p>
 </li>
 </ul>
 </div>
@@ -986,6 +1071,19 @@ This may cause downstream log processing systems to 
reject or fail to index affe
 <div class="paragraph">
 <p>Users are advised to upgrade to Apache Log4j JSON Template Layout version 
<code>2.25.4</code>, which corrects this issue.</p>
 </div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<i class="fa icon-note" title="Note"></i>
+</td>
+<td class="content">
+The fix released in version <code>2.25.4</code> did not cover all affected 
code paths.
+<a href="#CVE-2026-49844">CVE-2026-49844</a> was assigned to the remaining 
issue, which concerns the <code>MapMessage.asJson()</code> serialization in 
Apache Log4j API and is fixed in versions <code>2.25.5</code> and 
<code>2.26.1</code>.
+</td>
+</tr>
+</table>
+</div>
 </div>
 <div class="sect3">
 <h4 id="CVE-2026-34481-credits"><a class="anchor" 
href="#CVE-2026-34481-credits"></a>Credits</h4>
diff --git a/sitemap.xml b/sitemap.xml
index c72d1049..274dba69 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -2,86 +2,86 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9";>
 <url>
 
<loc>https://logging.apache.org/blog/20231117-flume-joins-logging-services.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/blog/20231128-new-pmc-member.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 
<loc>https://logging.apache.org/blog/20231202-apache-common-logging-1.3.0.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 
<loc>https://logging.apache.org/blog/20231214-announcing-support-from-the-stf.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/blog/20231218-20-years-of-innovation.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 
<loc>https://logging.apache.org/blog/20240725-Log4j-At-Community-Over-Code-2024.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/blog/20240808-welcome-to-the-pmc-jan.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/blog/20240812-log4j-bug-bounty.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 
<loc>https://logging.apache.org/blog/20250728-introduction-to-vex-files.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/blog/index.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/charter.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/download.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/guidelines.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/index.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/processes.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/security.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/security/faq.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/support.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/team-list.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/what-is-logging.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 <url>
 <loc>https://logging.apache.org/xml/ns/index.html</loc>
-<lastmod>2026-07-09T17:24:37.746Z</lastmod>
+<lastmod>2026-07-10T21:09:58.261Z</lastmod>
 </url>
 </urlset>

Reply via email to