[ANN] Log4j 2.8 released

[Matt Sicker]

The Apache Log4j 2 team is pleased to announce the Log4j 2.8 release!

Apache Log4j is a well known framework for logging application
behavior. Log4j 2 is an upgrade
to Log4j that provides significant improvements over its predecessor,
Log4j 1.x, and provides
many other modern features such as support for Markers, lambda
expressions for lazy logging,
property substitution using Lookups, multiple patterns on a
PatternLayout and asynchronous
Loggers. Another notable Log4j 2 feature is the ability to be
"garbage-free" (avoid allocating
temporary objects) while logging. In addition, Log4j 2 will not lose
events while reconfiguring.

This release contains several bugfixes and new features. The new
features include the ability
to have the RollingFileAppender log directly to the archive files.
More details on the new features and
fixes are itemized below.

Note that subsequent to the 2.6 release a minor source incompatibility
was found due to the
addition of new methods to the Logger interface. If you have code that does:

logger.error(null, “This is the log message”, throwable);

or similar with any log level you will get a compiler error saying the
reference is ambiguous.
To correct this either do:

logger.error(“This is the log message”, throwable);

or

logger.error((Marker) null, “This is the log message”, throwable);

The Log4j 2.8 API, as well as many core components, maintains binary
compatibility with previous releases.

GA Release 2.8

Changes in this version include:

New features:
o LOG4J2-1032:  Make DefaultRolloverStrategy more efficent when
renaming files. Add nomax option to the fileIndex attribute.
o LOG4J2-1101:  RollingFileAppender now supports omitting the file
name and writing directly to the archive files.
o LOG4J2-1243:  Allow default value in property to be a Lookup.
o LOG4J2-1787:  Document how to exclude transitive conflicting
dependencies in Maven and Gradle.
o LOG4J2-1773:  Add StatusLoggerRule to allow unit tests to set a status level.
o LOG4J2-424:  Add non-string data type support to JdbcAppender via
new ColumnMapping plugin.
o LOG4J2-1771:  Add a Builder to ColumnConfig and deprecate
ColumnConfig.createColumnConfig().
o LOG4J2-1770:  Add a Builder to JdbcAppender and deprecate
JdbcAppender.createAppender().
o LOG4J2-1764:  Use MethodHandle in ContextDataFactory cached constructor.
o LOG4J2-1730:  Add Apache Cassandra appender and ColumnMapping plugin.
o LOG4J2-1759:  Add TypeConverter for java.util.UUID.
o LOG4J2-1758:  Add TypeConverter for java.nio.file.Path.
o LOG4J2-1755:  Add TypeConverter and constraint validators for
java.net.InetAddress and port numbers.
o LOG4J2-969:  Refactor SyslogAppender so that Layout is a Plugin element.
o LOG4J2-1660:  Added public method
ThreadContext::getThreadContextMap; removed class ThreadContextAccess.
o LOG4J2-1379:  Add documentation regarding YAML configuration format.
o LOG4J2-1718:  Introduce marker interface AsynchronouslyFormattable.
o LOG4J2-1681:  Introduce interfaces IndexedStringMap and
IndexedReadOnlyStringMap, supporting garbage-free iteration over
sorted map.
o LOG4J2-1695:  Add a Builder to ScriptPatternSelector and deprecate
ScriptPatternSelector.createSelector().
o LOG4J2-1696:  Add a Builder to MarkerPatternSelector and deprecate
MarkerPatternSelector.createSelector().
o LOG4J2-1697:  Add a SerializerBuilder to PatternLayout and deprecate
PatternLayout.createSerializer().
o LOG4J2-1701:  Add a Builder to RandomAccessFileAppender and
deprecate RandomAccessFileAppender.createAppender().
o LOG4J2-1703:  Add a Builder to MemoryMappedFileAppender and
deprecate MemoryMappedFileAppender.createAppender().
o LOG4J2-1704:  Add a Builder to RollingRandomAccessFileAppender and
deprecate RollingRandomAccessFileAppender.createAppender().
o LOG4J2-1709:  Add a Builder to SyslogAppender and deprecate
SyslogAppender.createAppender().
o LOG4J2-1707:  Allow TCP Socket Appender to set socket options.
o LOG4J2-1708:  Allow Secure Socket Appender to set socket options.
o LOG4J2-1737:  Add a Builder to SyslogLayout and deprecate
SyslogLayout.createLayout(Facility, boolean, String, Charset).
o LOG4J2-1738:  Add a Builder to JsonLayout and deprecate
org.apache.logging.log4j.core.layout.JsonLayout.createLayout(Configuration,
boolean, boolean, boolean, boolean, boolean, boolean, String, String,
Charset, boolean).
o LOG4J2-1739:  Add Builder to KafkaAppender and deprecate
KafkaAppender.createAppender(Layout, Filter, String, boolean, String,
Property[], Configuration).
o LOG4J2-1733:  Add SyncSend attribute to KafkaAppender (as in
KafkaLog4jAppender). Thanks to Vincent Tieleman.

Fixed Bugs:
o LOG4J2-1780:  Eliminate the use of the ExecutorServices in the LoggerContext.
o LOG4J2-1786:  ConfigurationScheduler now preserves interrupt flag
during stop.
o LOG4J2-1779:  Fixed bug where AsyncLogger did not resolve
configuration properties.
o LOG4J2-1769:  Fixed concurrency issue affecting all layouts except
PatternLayout and GelfLayout, which caused scrambled 

[ANN] Log4j 2.8.2 released

[Matt Sicker]

The Apache Log4j 2 team is pleased to announce the Log4j 2.8.2 release!

Apache Log4j is a well known framework for logging application behavior.
Log4j 2 is an upgrade to Log4j that provides significant improvements over
its predecessor, Log4j 1.x, and provides many other modern features such as
support for Markers, lambda expressions for lazy logging, property
substitution using Lookups, multiple patterns on a PatternLayout and
asynchronous Loggers. Another notable Log4j 2 feature is the ability to be
"garbage-free" (avoid allocating temporary objects) while logging. In
addition, Log4j 2 will not lose events while reconfiguring.

This release primarily contains bugfixes and minor enhancements. More
details on the new features and fixes are itemized below.

Note that subsequent to the 2.6 release a minor source incompatibility was
found due to the addition of new methods to the Logger interface. If you
have code that does:

logger.error(null, “This is the log message”, throwable);

or similar with any log level you will get a compiler error saying the
reference is ambiguous. To correct this either do:

logger.error(“This is the log message”, throwable);

or

logger.error((Marker) null, “This is the log message”, throwable);

The Log4j 2.8.2 API, as well as many core components, maintains binary
compatibility with previous releases.
GA
Release 2.8.2

Changes in this version include:
New
Features

   - LOG4J2-1863 : Add
   support for filtering input in TcpSocketServer and UdpSocketServer.
   - LOG4J2-1848 : Add
   JSON encoding support to EncodingPatternConverter %encode{}.
   - LOG4J2-1843 : Add
   support for appending common suffix to each line of throwable stack trace.
   Thanks to Zilong Song.
   - LOG4J2-1838 : Add
   support for appending common suffix to each line of extended and root
   throwable stack trace. Thanks to Zilong Song.

Fixed
Bugs

   - LOG4J2-1861 : Fix
   JavaDoc on org.apache.logging.log4j.ThreadContext about inheritance.
   - LOG4J2-1862 : Fix
   JavaDoc about @Order and OrderComparator ordering. Thanks to wangyuntao.
   - LOG4J2-1849 : Fixed
   daylight savings time issue with FixedDateFormat.
   - LOG4J2-1850 : Fix
   CassandraRule and unit tests on Windows. Thanks to Ludovic Hochet.
   - LOG4J2-1840 : Fix
   typo in %replace converter documentation. Thanks to Pradeep Balasundaram.
   - LOG4J2-1846 :
   Handle when LogEvent.getLoggerName() returns null in
   LoggerNameLevelRewritePolicy.
   - LOG4J2-1845 :
   Handle when LogEvent.getLoggerName() returns null in KafkaAppender.
   - LOG4J2-1853 : The
   default value of RandomAccessFileAppender.Builder append field is wrong.
   Thanks to wangyuntao.
   - LOG4J2-1835 : Fix
   documentation about the licensing for JeroMQ.
   - LOG4J2-1836 :
   Update the API version to 2.6.0.
   - LOG4J2-1831 :
   NullPointerException in HtmlLayout. Thanks to Edward Serebrinskiy.
   - LOG4J2-1820 : Log4j
   2.8 can lose exceptions when a security manager is present. Thanks to Jason
   Tedor.


Changes

   - LOG4J2-1827 : Move
   integration tests to their own module to speed up build.
   - LOG4J2-1856 :
   Update Jackson from 2.8.6 to 2.8.7.

--

Apache Log4j 2.8.2 requires a minimum of Java 7 to build and run. Log4j 2.3
was the last release that supported Java 6.

Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api
component, however it does not implement some of the very implementation
specific classes and methods. The package names and Maven groupId have been
changed to org.apache.logging.log4j to avoid any conflicts with log4j 1.x.

For complete information on Apache Log4j 2, including instructions on how
to submit bug reports, patches, or suggestions for improvement, see 

Fwd: CVE-2017-5645: Apache Log4j socket receiver deserialization vulnerability

[Matt Sicker]

CVE-2017-5645: Apache Log4j socket receiver deserialization vulnerability

Severity: High

CVSS Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Vendor: The Apache Software Foundation

Versions Affected: all versions from 2.0-alpha1 to 2.8.1

Description: When using the TCP socket server or UDP socket server to
receive serialized log events from another application, a specially crafted
binary payload can be sent that, when deserialized, can execute arbitrary
code.

Mitigation: Java 7+ users should migrate to version 2.8.2 or avoid using
the socket server classes. Java 6 users should avoid using the TCP or UDP
socket server classes, or they can manually backport the security fix from
2.8.2: 

Credit: This issue was discovered by Marcio Almeida de Macedo of Red Team
at Telstra

References: 

[ANN] Log4j Scala API version 11.0 is now released

[Matt Sicker]

The PMC of the Logging Services project has released the first standalone
version of the Log4j Scala API, version 11.0. This release adds support for
Scala 2.12 in addition to continued support for Scala 2.10 and 2.11. The
version number has been increased all the way to 11 in order to
differentiate its release train from the main Log4j releases.

The Log4j Scala API is available on Maven Central as well as through our
normal distribution channels: <
https://www.apache.org/dist/logging/log4j/scala/11.0/>

Our other primary new feature to the Scala API is an idiomatic wrapper
around the ThreadContext/MDC APIs. More details in <
https://issues.apache.org/jira/browse/LOG4J2-1690>.

[ANN] Release of Apache Chainsaw 2.0.0

[Matt Sicker]

The Apache Logging Services project is pleased to announce the availability
of Apache Chainsaw 2.0.0. This is a long-awaited release of the Chainsaw
trunk/master code.

Apache Chainsaw is a Java GUI application to search, watch, and gather log
data from applications, particularly applications using Apache Log4j. This
release requires Java 6, though the source code can still be potentially
built with Java 1.4.

Site: https://logging.apache.org/chainsaw/2.x/
Downloads: https://logging.apache.org/chainsaw/2.x/download.html

Announcing Apache Log4j Kotlin API 1.0.0

[Matt Sicker]

The Apache Logging Services project is pleased to announce the general
availability of the first release of our new Log4j Kotlin API. This
provides a logging facade for Kotlin that is compatible with all
Log4j2 backend providers.

Website:
https://logging.apache.org/log4j/kotlin/

Distribution packages can be downloaded from:
https://logging.apache.org/log4j/kotlin/download.html

Make sure to verify downloaded artifacts with our GPG keys found here:
https://www.apache.org/dist/logging/KEYS

Maven artifacts are available from Maven Central:
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api-kotlin/1.0.0/

-- 
Matt Sicker
Assistant Secretary, Apache Software Foundation
VP Logging Services, ASF

[CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer

[Matt Sicker]

CVE-2019-17571: Deserialization of untrusted data in SocketServer

Severity: Critical
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:W

Product:
Apache Log4j

Versions Affected:
Apache Log4j up to and including 1.2.27. Separately fixed by
CVE-2017-5645 in Log4j 2.8.2.

Problem type:
CWE-502: Deserialization of Untrusted Data

Description:

Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely
execute arbitrary code when combined with a deserialization gadget
when listening to untrusted network traffic for log data.

Mitigation:

Apache Log4j 1.2 reached end of life in August 2015. Users should
upgrade to Log4j 2.x which both addresses that vulnerability as well
as numerous other issues in the previous versions.

Credit:

This issue was initially discovered in CVE-2017-5645 by Marcio Almeida
de Macedo of Red Team at Telstra.

Links:

https://logging.apache.org/log4j/1.2/
https://issues.apache.org/jira/browse/LOG4J2-1863

-- 
Matt Sicker
Secretary, Apache Software Foundation
VP Logging Services, ASF

[ANN] Last few days remaining to submit Outreachy intern project proposals for upcoming round

[Matt Sicker]

Hello all,

The next round for Outreachy, a mentoring program for pairing open
source software projects with mentees who are underrepresented
communities in tech in their locality. These projects cover software
development, data science, documentation, design, and other technical
aspects of OSS. For those who have heard of or participated in Google
Summer of Code before, this works fairly similarly.

We have funding available for several projects to participate this
round, so please take a look at the following instructions on how to
get started as a mentor:

https://s.apache.org/OutreachyMay2020

If you have any questions about eligibility, project guidance, etc.,
please reach out to the Outreachy coordinators on the
d...@diversity.apache.org mailing list.

-- 
Matt Sicker
Secretary, Apache Software Foundation
VP Logging Services, ASF

[CVE-2020-9488] Improper validation of certificate with host mismatch in Apache Log4j SMTP appender

[Matt Sicker]

Summary: Improper validation of certificate with host mismatch in
Log4j2 SMTP appender. This could allow an SMTPS connection to be
intercepted by a man-in-the-middle attack which could leak any log
messages sent through that appender.

Mitigation: Users should upgrade to Apache Log4j 2.13.2 which fixed
this issue in LOG4J2-2819 by making SSL settings configurable for
SMTPS mail sessions. As a workaround for previous releases, users can
set the `mail.smtp.ssl.checkserveridentity` system property to `true`
to enable SMTPS hostname verification for all SMTPS mail sessions.

https://issues.apache.org/jira/browse/LOG4J2-2819

CVE Details:
CWE: 297
CVSS: 3.7 (Low) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Affects: Apache Log4j <= 2.13.1
Fixed: Log4j 2.13.2
Reported by: Peter Stöckli 


-- 
Matt Sicker
Secretary, Apache Software Foundation
VP Logging Services, ASF

[CVE-2018-1285] XXE vulnerability in Apache log4net

[Matt Sicker]

Summary: Apache log4net does not disable XML external entities when
parsing log4net configuration files. This could allow for XXE-based
attacks in applications that accept arbitrary configuration files from
users. [1]

Affected: log4net up to 2.0.8

Mitigation: as there are no further releases of log4net beyond 2.0.8,
and the Logging Services PMC has voted [2] to mark the project
dormant, users should not allow arbitrary configuration files to be
specified from untrusted sources. While this is arguably a
vulnerability, misuse of any framework allowing untrusted input to
configure things is always a bad idea.

[1]: https://issues.apache.org/jira/browse/LOG4NET-575
[2]: 
https://lists.apache.org/thread.html/r6691036b0f85419e8bc97f6f522b8c353dd250b0a329164167b021a6%40%3Cdev.logging.apache.org%3E

-- 
Matt Sicker
Secretary, Apache Software Foundation
VP Logging Services, ASF

[ANN] Apache participating in Outreachy May-Aug 2021 - call for project proposals and mentors

[Matt Sicker]

Apache is participating once again in the Outreachy program [1], a
remote internship program where interns contribute to free and open
source software communities over a three month full-time stipend. This
program is somewhat comparable to Google Summer of Code, though the
eligibility requirements for both projects and interns are somewhat
different. Outreachy's goal is to support people from groups
underrepresented in the technology industry. Outreachy interns will
work remotely with mentors on projects ranging from programming, user
experience, documentation, illustration, and graphic design, to data
science.

An FAQ [2] is available for those looking for details on project and
mentor requirements. If you would like to mentor, co-mentor, or
otherwise get involved in making a project proposal (or multiple
proposals), register at [3] and click "Submit a Project Proposal" to
mentor a new proposal or follow the other form to co-mentor an
existing project proposal once available.

Questions can be emailed to d...@diversity.apache.org mailing list or
to the Apache Outreachy coordinators directly at
mattsic...@apache.org, ka...@apache.org, and awa...@apache.org, or
they can be sent to #outreachy-general on the-asf.slack.com.

## Timeline

07 Mar 2021: deadline for mentors to submit project proposals
15 Mar 2021: beginning of applicant contribution period
16 Apr 2021: end of applicant contribution period
10 May 2021: deadline for selecting interns from applicants
12 May 2021: intern selection finalized by Outreachy
17 May 2021: intern selection publicly announced
24 May 2021: beginning of internship
24 Aug 2021: end of internship (can be extended if necessary)

[1]: https://www.outreachy.org/
[2]: https://cwiki.apache.org/confluence/display/EDI/Outreachy+FAQ
[3]: https://www.outreachy.org/communities/cfp/apache/

-- 
Matt Sicker
Secretary, Apache Software Foundation
VP, Logging Services, ASF

[ANN] Release of Apache Log4j Kotlin API 1.1.0

[Matt Sicker]

The Apache Logging Services project is pleased to announce the general
availability of the second release of Apache Log4j Kotlin API. This
library provides a logging facade for Kotlin compatible with any
Log4j2-compatible logging providers along with Java 8 and Kotlin 1.3
minimum requirements.

Changes:
- Support MDCs with Kotlin coroutines. Fixes LOG4J2-2433.
- Support suspend functions in supplier lambdas. Fixes LOG4J2-2518.
- Update Kotlin baseline version to 1.3.72. Fixes LOG4J2-2843.

Website:
https://logging.apache.org/log4j/kotlin/

Distribution packages can be downloaded from:
https://logging.apache.org/log4j/kotlin/download.html

Make sure to verify downloaded artifacts with our GPG keys found here:
https://www.apache.org/dist/logging/KEYS

Maven artifacts are available from Maven Central:
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api-kotlin/1.1.0/

--
Matt Sicker
PMC Member, Logging Services, Apache Software Foundation

[ANNOUNCE] Apache Log4j 2.17.1 released

[Matt Sicker]

The Apache Log4j 2 team is pleased to announce the Log4j 2.17.1 release!

Apache Log4j is a well known framework for logging application
behavior. Log4j 2 is an upgrade to Log4j that provides significant
improvements over its predecessor, Log4j 1.x, and provides many other
modern features such as support for Markers, lambda expressions for
lazy logging, property substitution using Lookups, multiple patterns
on a PatternLayout and asynchronous Loggers. Another notable Log4j 2
feature is the ability to be "garbage-free" (avoid allocating
temporary objects) while logging. In addition, Log4j 2 will not lose
events while reconfiguring.

The artifacts may be downloaded from
https://logging.apache.org/log4j/2.x/download.html.

This release contains the changes noted below:

Address CVE-2021-44832.
Other minor fixes.

Due to a break in compatibility in the SLF4J binding, Log4j now ships
with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl
should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl
should be used with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases
are not fully supported. See
https://issues.apache.org/jira/browse/LOG4J2-2975 and
https://jira.qos.ch/browse/SLF4J-511.

The Log4j 2.17.1 API, as well as many core components, maintains
binary compatibility with previous releases.

GA Release 2.17.1

Changes in this version include:

Fixed Bugs

LOG4J2-3293: JdbcAppender now uses JndiManager to access JNDI
resources. JNDI is only enabled when system property
log4j2.enableJndiJdbc is set to true.
LOG4J2-3290: Remove unused method.
LOG4J2-3292: ExtendedLoggerWrapper.logMessage no longer double-logs
when location is requested.
LOG4J2-3289: log4j-to-slf4j no longer re-interpolates formatted
message contents.
LOG4J2-3204: Correct SpringLookup package name in Interpolator. Thanks
to Francis-FY.
LOG4J2-3284: log4j-to-slf4j takes the provided MessageFactory into
account Thanks to Michael Vorburger.
LOG4J2-3264: Fix MapLookup to lookup MapMessage before DefaultMap
Thanks to Yanming Zhou.
LOG4J2-3274: Buffered I/O checked had inverted logic in
RollingFileAppenderBuidler. Thanks to Faisal Khan Thayub Khan.
: Fix NPE when input is null in StrSubstitutor.replace(String, Properties).
LOG4J2-3270: Lookups with no prefix only read values from the
configuration properties as expected.
LOG4J2-3256: Reduce ignored package scope of KafkaAppender. Thanks to
Lee Dongjin.



Apache Log4j 2.17.1 requires a minimum of Java 8 to build and run.
Log4j 2.12.1 is the last release to support Java 7. Java 7 is no
longer supported by the Log4j team.

For complete information on Apache Log4j 2, including instructions on
how to submit bug reports, patches, or suggestions for improvement,
see the Apache Apache Log4j 2 website:

https://logging.apache.org/log4j/2.x/

-- 
Matt Sicker
PMC Member, Logging Services, Apache Software Foundation

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

[Matt Sicker]

Severity: high

Description:

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from
uncontrolled recursion from self-referential lookups. This allows an
attacker with control over Thread Context Map data to cause a denial
of service when a crafted string is interpreted. This issue was fixed
in Log4j 2.17.0.

This issue is being tracked as LOG4J2-3230

Mitigation:

Implement one of the following mitigation techniques:

* Java 8 (or later) users should upgrade to release 2.17.0.

Alternatively, this can be mitigated in configuration:

* In PatternLayout in the logging configuration, replace Context
Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context
Map patterns (%X, %mdc, or %MDC).
* Otherwise, in the configuration, remove references to Context
Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they
originate
from sources external to the application such as HTTP headers or user input.

Credit:

Independently discovered by Hideki Okamoto of Akamai Technologies, Guy
Lederfein of Trend Micro Research working with Trend Micro’s Zero Day
Initiative, and another anonymous vulnerability researcher

References:

https://logging.apache.org/log4j/2.x/security.html


-- 
Matt Sicker
PMC Member, Logging Services, Apache Software Foundation

[ANNOUNCE] Apache Log4j 2.3.2 for Java 6 released

[Matt Sicker]

The Apache Log4j 2 team is pleased to announce the Log4j 2.3.2 release!

Apache log4j is a well known framework for logging application behavior. Log4j 
2 is an upgrade to
Log4j that provides significant improvements over its predecessor, Log4j 1.x, 
and provides
many other modern features such as support for Markers, property substitution 
using Lookups, and asynchronous
Loggers. In addition, Log4j 2 will not lose events while reconfiguring.

The major changes contained in this release include:

* Address CVE-2021-45046 and CVE-2021-45105 by disabling recursive evaluation 
of Lookups during log event processing. Recursive evaluation is still allowed 
while generating the configuration.
* Adddress CVE-2021-44882 by removing processing of Lookups in the Message 
Pattern Converter of the Pattern Layout and
preventing JNDI operations to use any protocols other than java.
* The JndiLookup, JndiContextSelector, and JMSAppender now require individual 
system properties to be enabled.

The JNDI components are now disabled by default and may separately be enabled 
with three individual properties; log4j2.enableJndiContextSelector, 
log4j2.enableJndiJms, and log4j2.enableJndiLookup.

GA Release 2.3.2

Changes in this version include:


Fixed Bugs:
o LOG4J2-3293:  JDBC Appender should use JNDI Manager and JNDI access should be 
limited.
   Backport fix for CVE-2021-44832. 
o LOG4J2-2819:  Add support for specifying an SSL configuration for 
SmtpAppender.
   Backport fix for CVE-2020-9488 to allow SSL/TLS hostname verification. 



Apache Log4j 2.3.2 requires a minimum of Java 6 to build and run. It is not 
expected that any future Java 6
releases will be provided.

Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api 
component, however it does not implement some of the
very implementation specific classes and methods. The package names and Maven 
groupId have been changed to
org.apache.logging.log4j to avoid any conflicts with log4j 1.x.

For complete information on Apache Log4j 2, including instructions on how to 
submit bug reports,
patches, or suggestions for improvement, see the Apache Apache Log4j 2 website:

http://logging.apache.org/log4j/2.x/

Downloads available here:
https://logging.apache.org/log4j/log4j-2.3.2/download.html

GPG keys for verifying releases are available here:
https://downloads.apache.org/logging/KEYS


--
Matt Sicker

[ANNOUNCE] Apache Log4j 2.16.0 Released

[Matt Sicker]

The Apache Log4j 2 team is pleased to announce the Log4j 2.16.0 release!

Apache Log4j is a well known framework for logging application
behavior. Log4j 2 is an upgrade to Log4j that provides significant
improvements over its predecessor, Log4j 1.x, and provides many other
modern features such as support for Markers, lambda expressions for
lazy logging, property substitution using Lookups, multiple patterns
on a PatternLayout and asynchronous Loggers. Another notable Log4j 2
feature is the ability to be "garbage-free" (avoid allocating
temporary objects) while logging. In addition, Log4j 2 will not lose
events while reconfiguring.

The artifacts may be downloaded from
https://logging.apache.org/log4j/2.x/download.html.

This release contains one change which is noted below.

Due to a break in compatibility in the SLF4J binding, Log4j now ships
with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl
should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl
should be used with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases
are not fully supported. See
https://issues.apache.org/jira/browse/LOG4J2-2975 and
https://jira.qos.ch/browse/SLF4J-511.

Some of the changes in Log4j 2.16.0 include:

* Removed Message Lookups. This is a hardening related to changes made
to prevent CVE-2021-44228. While this change is recommended, it is NOT
required to fix CVE-2021-44228.
* While release 2.15.0 removed the ability to resolve Lookups and log
messages and addressed issues with how JNDI is accessed, the Log4j
team feels that having JNDI enabled by default introduces an undue
risk for our users. Starting in version 2.16.0, JNDI functionality is
disabled by default and can be re-enabled via the log4j2.enableJndi
system property. Use of JNDI in an unprotected context is a large
security risk and should be treated as such in both this library and
all other Java libraries using JNDI.
* Prior to version 2.15.0, Log4j would automatically resolve Lookups
contained in the message or its parameters in the Pattern Layout. This
behavior is no longer the default and must be enabled by specifying
%msg{lookup}.

The Log4j 2.16.0 API, as well as many core components, maintains
binary compatibility with previous releases. This version is
recommended as an upgrade

GA Release 2.16.0

Changes in this version include:

Fixed Bugs

LOG4J2-3208: Disable JNDI by default. Require log4j2.enableJndi to be
set to true to allow JNDI.
LOG4J2-3211: Completely remove support for Message Lookups.



Apache Log4j 2.16.0 requires a minimum of Java 8 to build and run.
Log4j 2.12.1 is the last release to support Java 7. Java 7 is no
longer supported by the Log4j team.

For complete information on Apache Log4j 2, including instructions on
how to submit bug reports, patches, or suggestions for improvement,
see the Apache Apache Log4j 2 website:

https://logging.apache.org/log4j/2.x/

-- 
Matt Sicker
PMC Member, Logging Services, Apache Software Foundation