[
https://issues.apache.org/jira/browse/LOG4J2-3242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462828#comment-17462828
]
ASF subversion and git services commented on LOG4J2-3242:
---------------------------------------------------------
Commit bf8ba18f63ab9f9ffd54387c5c527ecc7a681037 in logging-log4j2's branch
refs/heads/log4j-2.12 from Gary Gregory
[ https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=bf8ba18 ]
[LOG4J2-3242] Limit JNDI to the java protocol only. (#645)
* [LOG4J2-3242] Limit JNDI to the java protocol only. JNDI will remain
disabled by default. The enablement property has been renamed to
'log4j2.enableJndiJava'.
* Do not declare log4j-api-java9 and log4j-core-java9 as depdendencies as
it causes problems with the Maven enforcer plugin.
I'm not updating changes.xml to avoid git conflicts.
* [LOG4J2-3242] Limit JNDI to the java protocol only. JNDI will remain
disabled by default. The enablement property has been renamed to
'log4j2.enableJndiJava'.
Oops, add missing test fixture for RoutingAppenderWithJndiTest.
> Limit JNDI to the java protocol only
> ------------------------------------
>
> Key: LOG4J2-3242
> URL: https://issues.apache.org/jira/browse/LOG4J2-3242
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.16.0
> Reporter: Ralph Goers
> Priority: Major
> Fix For: 2.17.1
>
>
> The use of JNDI to access anything besides the java protocol has proven to be
> insecure. Use of anything but that must be disabled. JNDI needs to remain
> disabled by default.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
