This is a vote to release Log4j 2.3.2, a security release for Java 6 users.
Please download, test, and cast your votes on the log4j developers list.
[] +1, release the artifacts
[] -1, don't release because…
The vote will remain open for as short amount as time as required to vet the
release. All votes are welcome and we encourage everyone to test the release,
but only Logging PMC votes are “officially” counted. As always, at least 3 +1
votes and more positive than negative votes are required.
Changes in this version include:
Fixed Bugs
Fixed Bugs:
o LOG4J2-3293: JDBC Appender should use JNDI Manager and JNDI access should be
limited.
Backport fix for CVE-2021-44832.
o LOG4J2-2819: Add support for specifying an SSL configuration for
SmtpAppender.
Backport fix for CVE-2020-9488 to allow SSL/TLS hostname verification.
Tag:
a) for a new copy do "git clone https://github.com/apache/logging-log4j2.git
<https://github.com/apache/logging-log4j2.git>" and then "git checkout
tags/log4j-2.3.2-rc1” or just "git clone -b log4j-2.3.2-rc1
https://github.com/apache/logging-log4j2.git
<https://github.com/apache/logging-log4j2.git>"
b) for an existing working copy to “git pull” and then “git checkout
tags/log4j-2.3.2-rc1”
Web Site: [none published yet; need someone to stage a generated site]
Maven Artifacts:
https://repository.apache.org/content/repositories/orgapachelogging-1081/
Distribution archives: https://dist.apache.org/repos/dist/dev/logging/log4j/
<https://dist.apache.org/repos/dist/dev/logging/log4j/>
You may download all the Maven artifacts by executing:
wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
https://repository.apache.org/content/repositories/orgapachelogging-1081/org/apache/logging/log4j/
--
Matt Sicker
