Should this announcement also be sent to annou...@apache.org ? On Fri, Dec 10, 2021 at 7:08 PM Ralph Goers <ralph.go...@dslextreme.com> wrote:
> The Apache Log4j 2 team is pleased to announce the Log4j 2.15.0 release! > > Apache Log4j is a well known framework for logging application behavior. > Log4j 2 is an upgrade to Log4j that provides significant improvements over > its predecessor, Log4j 1.x, and provides many other modern features such as > support for Markers, lambda expressions for lazy logging, property > substitution using Lookups, multiple patterns on a PatternLayout and > asynchronous Loggers. Another notable Log4j 2 feature is the ability to be > "garbage-free" (avoid allocating temporary objects) while logging. In > addition, Log4j 2 will not lose events while reconfiguring. > > The artifacts may be downloaded from > https://logging.apache.org/log4j/2.x/download.html < > https://logging.apache.org/log4j/2.x/download.html> < > https://logging.apache.org/log4j/2.x/download.html < > https://logging.apache.org/log4j/2.x/download.html>>. > > This release contains a number of bug fixes and minor enhancements which > are listed below. > > The Log4j team has been made aware of a security vulnerability, > CVE-2021-44228, that has been addressed in Log4j 2.15.0. > > Log4j’s JNDI support has not restricted what names could be resolved. Some > protocols are unsafe or can allow remote code execution. Log4j now limits > the protocols by default to only java, ldap, and ldaps and limits the ldap > protocols to only accessing Java primitive objects by default served on the > local host. > > One vector that allowed exposure to this vulnerability was Log4j’s > allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this > feature is now disabled by default. While an option has been provided to > enable Lookups in this fashion, users are strongly discouraged from > enabling it. > > Users who cannot upgrade to 2.15.0 can mitigate the exposure by: > > a) Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true > as a command line option or add log4j.formatMsgNoLookups=true to a > log4j2.component.properties file on the classpath to prevent lookups in log > event messages. > b) Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout > configuration to prevent lookups in log event messages. > c) Remove the JndiLookup and JndiManager classes from the log4j-core jar. > Removal of the JndiManager will cause the JndiContextSelector and > JMSAppender to no longer function. > > Due to a break in compatibility in the SLF4J binding, Log4j now ships with > two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl should be > used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl should be used > with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases are not fully > supported. See https://issues.apache.org/jira/browse/LOG4J2-2975 < > https://issues.apache.org/jira/browse/LOG4J2-2975> < > https://issues.apache.org/jira/browse/LOG4J2-2975 < > https://issues.apache.org/jira/browse/LOG4J2-2975>> and > https://jira.qos.ch/browse/SLF4J-511 <https://jira.qos.ch/browse/SLF4J-511> > <https://jira.qos.ch/browse/SLF4J-511 < > https://jira.qos.ch/browse/SLF4J-511>>. > > Some of the new features in Log4j 2.15.0 include: > > • Support for Arbiters, which are conditionals that can enable > sections of the logging configuration for inclusion or exclusion. In > particular, SpringProfile, SystemProperty, Script, and Class Arbiters have > been provided that use the Spring profile, System property, the result of a > script, or the presence of a class respectively to determine whether a > section of configuration should be included. > • Support for Jakarta EE 9. This is functionally equivalent to > Log4j's log4j-web module but uses the Jakarta project. > • Various performance improvements. > > Key changes to note: > > • Prior to this release Log4j would automatically resolve Lookups > contained in the message or its parameters in the Pattern Layout. This > behavior is no longer the default and must be enabled by specifying > %msg{lookup}. > • The JNDI Lookup has been restricted to only support the java, > ldap, and ldaps protocols by default. LDAP also no longer supports classes > that implement the Referenceable interface and restricts the Serializable > classes to the Java primative classes by default and requires an allow list > to be specified to access remote LDAP servers. > The Log4j 2.15.0 API, as well as many core components, maintains binary > compatibility with previous releases. > > GA Release 2.15.0 > > Changes in this version include: > > New Features > > • LOG4J2-3198: Pattern layout no longer enables lookups within > message text by default for cleaner API boundaries and reduced formatting > overhead. The old 'log4j2.formatMsgNoLookups' which enabled this behavior > has been removed as well as the 'nolookups' message pattern converter > option. The old behavior can be enabled on a per-pattern basis using > '%m{lookups}'. > • LOG4J2-3194: Allow fractional attributes for size attribute of > SizeBsaedTriggeringPolicy. Thanks to markuss. > • LOG4J2-2978: Add support for Jakarta EE 9 (Tomcat 10 / Jetty 11) > Thanks to Michael Seele. > • LOG4J2-3189: Improve NameAbbreviator worst-case performance. > • LOG4J2-3170: Make CRLF/HTML encoding run in O(n) worst-case > time, rather than O(n^2). Thanks to Gareth Smith. > • LOG4J2-3133: Add missing slf4j-api singleton accessors to > log4j-slf4j-impl (1.7) StaticMarkerBinder and StaticMDCBinder. This doesn't > impact behavior or correctness, but avoids throwing and catching > NoSuchMethodErrors when slf4j is initialized and avoids linkage linting > warnings. > • LOG4J2-2885: Add support for US-style date patterns and > micro/nano seconds to FixedDateTime. Thanks to Markus Spann. > • LOG4J2-3116: Add JsonTemplateLayout for Google Cloud Platform > structured logging layout. > • LOG4J2-3067: Add CounterResolver to JsonTemplateLayout. > • LOG4J2-3074: Add replacement parameter to > ReadOnlyStringMapResolver. > • LOG4J2-3051: Add CaseConverterResolver to JsonTemplateLayout. > • LOG4J2-3064: Add Arbiters and SpringProfile plugin. > • LOG4J2-3056: Refactor MD5 usage for sharing sensitive > information. Thanks to Marcono1234. > • LOG4J2-3004: Add plugin support to JsonTemplateLayout. > • LOG4J2-3050: Allow AdditionalFields to be ignored if their value > is null or a zero-length String. > • LOG4J2-3049: Allow MapMessage and ThreadContext attributes to be > prefixed. > • LOG4J2=3048: Add improved MapMessge support to GelfLayout. > • LOG4J2-3044: Add RepeatPatternConverter. > • LOG4J2-2940: Context selectors are aware of their dependence > upon the callers ClassLoader, allowing basic context selectors to avoid the > unnecessary overhead of walking the stack to determine the caller's > ClassLoader. > • LOG4J2-2940: Add BasicAsyncLoggerContextSelector equivalent to > AsyncLoggerContextSelector for applications with a single LoggerContext. > This selector avoids classloader lookup overhead incurred by the existing > AsyncLoggerContextSelector. > • LOG4J2-3041: Allow a PatternSelector to be specified on > GelfLayout. > • LOG4J2-3141: Avoid ThreadLocal overhead in > RandomAccessFileAppender, RollingRandomAccessFileManager, and > MemoryMappedFileManager due to the unused setEndOfBatch and isEndOfBatch > methods. The methods on LogEvent are preferred. > • LOG4J2-3144: Prefer string.getBytes(Charset) over > string.getBytes(String) based on performance improvements in modern Java > releases. > • LOG4J2-3171: Improve PatternLayout performance by reducing > unnecessary indirection and branching. > Fixed Bugs > > • LOG4J2-3201: Limit the protocols JNDI can use by default. Limit > the servers and classes that can be accessed via LDAP. > • LOG4J2-3114: Enable immediate flush on RollingFileAppender when > buffered i/o is not enabled. Thanks to Barnabas Bodnar. > • LOG4J2-3168: Fix bug when file names contain regex characters. > Thanks to Benjamin Wöster. > • LOG4J2-3110: Fix the number of {}-placeholders in the string > literal argument does not match the number of other arguments to the > logging call. Thanks to Arturo Bernal. > • LOG4J2-3060: Fix thread-safety issues in DefaultErrorHandler. > Thanks to Nikita Mikhailov. > • LOG4J2-3185: Fix thread-safety issues in DefaultErrorHandler. > Thanks to mzbonnt. > • LOG4J2-3183: Avoid using MutableInstant of the event as a cache > key in JsonTemplateLayout. > • LOG4J2-2829: SocketAppender should propagate failures when > reconnection fails. > • LOG4J2-3172: Buffer immutable log events in the SmtpManager. > Thanks to Barry Fleming. > • LOG4J2-3175: Avoid KafkaManager override when topics differ. > Thanks to wuqian0808. > • LOG4J2-3160: Fix documentation on how to toggle log4j2.debug > system property. Thanks to Lars Bohl. > • LOG4J2-3159: Fixed an unlikely race condition in > Log4jMarker.getParents() volatile access. > • LOG4J2-3153: DatePatternConverter performance is not impacted by > microsecond-precision clocks when such precision isn't required. > • LOG4J2-2808: LoggerContext skips resolving localhost when > hostName is configured. Thanks to Asapha Halifa. > • LOG4J2-3150: RandomAccessFile appender uses the correct default > buffer size of 256 kB rather than the default appender buffer size of 8 kB. > • LOG4J2-3142: log4j-1.2-api implements > LogEventAdapter.getTimestamp() based on the original event timestamp > instead of returning zero. Thanks to John Meikle. > • LOG4J2-3083: log4j-slf4j-impl and log4j-slf4j18-impl correctly > detect the calling class using both LoggerFactory.getLogger methods as well > as LoggerFactory.getILoggerFactory().getLogger. > • LOG4J2-2816: Handle Disruptor event translation exceptions. > Thanks to Jacob Shields. > • LOG4J2-3121: log4j2 config modified at run-time may trigger > incomplete MBean re-initialization due to InstanceAlreadyExistsException. > Thanks to Markus Spann. > • LOG4J2-3107: SmtpManager.createManagerName ignores port. Thanks > to Markus Spann. > • LOG4J2-3080: Use SimpleMessage in Log4j 1 Category whenever > possible. > • LOG4J2-3102: Fix a regression in 2.14.1 which allowed the > AsyncAppender background thread to keep the JVM alive because the daemon > flag was not set. > • LOG4J2-3103: Fix race condition which can result in > ConcurrentModificationException on context.stop. Thanks to Mike Glazer. > • LOG4J2-3092: Fix JsonWriter memory leaks due to retained > excessive buffer growth. Thanks to xmh51. > • LOG4J2-3089: Fix sporadic > JsonTemplateLayoutNullEventDelimiterTest failures on Windows. Thanks to Tim > Perry. > • LOG4J2-3075: Fix formatting of nanoseconds in JsonTemplateLayout. > • LOG4J2-3087: Fix race in JsonTemplateLayout where a timestamp > could end up unquoted. Thanks to Anton Klarén. > • LOG4J2-3070: Ensure EncodingPatternConverter#handlesThrowable is > implemented. Thanks to Romain Manni-Bucau. > • LOG4J2-3054: BasicContextSelector hasContext and shutdown take > the default context into account > • LOG4J2-2940: Slf4j implementations walk the stack at most once > rather than twice to determine the caller's class loader. > • LOG4J2-2965: Fixed a deadlock between the > AsyncLoggerContextSelector and java.util.logging.LogManager by updating > Disruptor to 3.4.4. > • LOG4J2-3095: Category.setLevel should accept null value. Thanks > to Kenny MacLeod, Gary Gregory. > • LOG4J2-3174: Wrong subject on mail when it depends on the > LogEvent Thanks to romainmoreau. > Changes > > • : Update Spring framework to 5.3.13, Spring Boot to 2.5.7, and > Spring Cloud to 2020.0.4. > > • LOG4J2-2025: Provide support for overriding the Tomcat Log class > in Tomcat 8.5+. > > • : Updated dependencies. > > - com.fasterxml.jackson.core:jackson-annotations ................. 2.12.2 > -> 2.12.4 > - com.fasterxml.jackson.core:jackson-core ........................ 2.12.2 > -> 2.12.4 > - com.fasterxml.jackson.core:jackson-databind .................... 2.12.2 > -> 2.12.4 > - com.fasterxml.jackson.dataformat:jackson-dataformat-xml ........ 2.12.2 > -> 2.12.4 > - com.fasterxml.jackson.dataformat:jackson-dataformat-yaml ....... 2.12.2 > -> 2.12.4 > - com.fasterxml.jackson.module:jackson-module-jaxb-annotations ... 2.12.2 > -> 2.12.4 > - com.fasterxml.woodstox:woodstox-core ........................... 6.2.4 > -> 6.2.6 > - commons-io:commons-io .......................................... 2.8.0 > -> 2.11.0 > - net.javacrumbs.json-unit:json-unit ............................. 2.24.0 > -> 2.25.0 > - net.javacrumbs.json-unit:json-unit ............................. 2.25.0 > -> 2.27.0 > - org.apache.activemq:activemq-broker ............................ 5.16.1 > -> 5.16.2 > - org.apache.activemq:activemq-broker ............................ 5.16.2 > -> 5.16.3 > - org.apache.commons:commons-compress ............................ 1.20 -> > 1.21 > - org.apache.commons:commons-csv ................................. 1.8 -> > 1.9.0 > - org.apache.commons:commons-dbcp2 ............................... 2.8.0 > -> 2.9.0 > - org.apache.commons:commons-pool2 ............................... 2.9.0 > -> 2.11.1 > - org.apache.maven.plugins:maven-failsafe-plugin ................. 2.22.2 > -> 3.0.0-M5 > - org.apache.maven.plugins:maven-surefire-plugin ................. 2.22.2 > -> 3.0.0-M5 > - org.apache.rat:apache-rat-plugin ............................... 0.12 -> > 0.13 > - org.assertj:assertj-core ....................................... 3.19.0 > -> 3.20.2 > - org.codehaus.groovy:groovy-dateutil ............................ 3.0.7 > -> 3.0.8 > - org.codehaus.groovy:groovy-jsr223 .............................. 3.0.7 > -> 3.0.8 > - org.codehaus.plexus:plexus-utils ............................... 3.3.0 > -> 3.4.0 > - org.eclipse.persistence:javax.persistence ...................... 2.1.1 > -> 2.2.1 > - org.eclipse.persistence:org.eclipse.persistence.jpa ............ 2.6.5 > -> 2.6.9 > - org.eclipse.persistence:org.eclipse.persistence.jpa ............ 2.7.8 > -> 2.7.9 > - org.fusesource.jansi ........................................... 2.3.2 > -> 2.3.4 > - org.fusesource.jansi:jansi ..................................... 2.3.1 > -> 2.3.2 > - org.hsqldb:hsqldb .............................................. 2.5.1 > -> 2.5.2 > - org.junit.jupiter:junit-jupiter-engine ......................... 5.7.1 > -> 5.7.2 > - org.junit.jupiter:junit-jupiter-migrationsupport ............... 5.7.1 > -> 5.7.2 > - org.junit.jupiter:junit-jupiter-params ......................... 5.7.1 > -> 5.7.2 > - org.junit.vintage:junit-vintage-engine ......................... 5.7.1 > -> 5.7.2 > - org.liquibase:liquibase-core ................................... 3.5.3 > -> 3.5.5 > - org.mockito:mockito-core ....................................... 3.8.0 > -> 3.11.2 > - org.mockito:mockito-junit-jupiter .............................. 3.8.0 > -> 3.11.2 > - org.springframework:spring-aop ................................. 5.3.3 > -> 5.3.9 > - org.springframework:spring-beans ............................... 5.3.3 > -> 5.3.9 > - org.springframework:spring-context ............................. 5.3.3 > -> 5.3.9 > - org.springframework:spring-context-support ..................... 5.3.3 > -> 5.3.9 > - org.springframework:spring-core ................................ 5.3.3 > -> 5.3.9 > - org.springframework:spring-expression .......................... 5.3.3 > -> 5.3.9 > - org.springframework:spring-oxm ................................. 5.3.3 > -> 5.3.9 > - org.springframework:spring-test ................................ 5.3.3 > -> 5.3.9 > - org.springframework:spring-web ................................. 5.3.3 > -> 5.3.9 > - org.springframework:spring-webmvc .............................. 5.3.3 > -> 5.3.9 > - org.tukaani:xz ................................................. 1.8 -> > 1.9 > > Apache Log4j 2.15.0 requires a minimum of Java 8 to build and run. Log4j > 2.12.1 is the last release to support Java 7. Java 7 is not longer > supported by the Log4j team. > > For complete information on Apache Log4j 2, including instructions on how > to submit bug reports, patches, or suggestions for improvement, see the > Apache Apache Log4j 2 website:
