Author: skitching
Date: Sun Nov 19 01:17:43 2006
New Revision: 476777
URL: http://svn.apache.org/viewvc?view=rev&rev=476777
Log:
General updates
Modified:
jakarta/commons/proper/logging/trunk/RELEASE-NOTES.txt
Modified: jakarta/commons/proper/logging/trunk/RELEASE-NOTES.txt
URL:
http://svn.apache.org/viewvc/jakarta/commons/proper/logging/trunk/RELEASE-NOTES.txt?view=diff&rev=476777&r1=476776&r2=476777
==============================================================================
--- jakarta/commons/proper/logging/trunk/RELEASE-NOTES.txt (original)
+++ jakarta/commons/proper/logging/trunk/RELEASE-NOTES.txt Sun Nov 19 01:17:43
2006
@@ -58,7 +58,9 @@
obtaining the context classloader. In version 1.1 it did. In this release, it
has
reverted to not using an AccessController; any user-level code that needs to
obtain a
context classloader should itself create an AccessController, and call the
-LogFactory.getContextClassLoader method via the doPrivileged method.
+LogFactory.getContextClassLoader method via the doPrivileged method. This
fixes a
+potential security issue, where untrusted code could get access to the context
+classloader if a signed JCL library was in the classpath.
== Dependencies ==
@@ -85,12 +87,13 @@
libraries, just the internally implemented SimpleLog and NoOpLog classes
plus Jdk14Logger (which is currently required by Apache Tomcat).
-This jar file may be used as a declared dependency for projects that care about
-"transitive dependencies" and can't handle jar files such as
commons-logging-nn.jar
-which have "optional" dependencies depending on how they are used. In addition,
-this jar file can be useful for "rebundlers" of JCL who recompile the
source-code
-but who may not be able to recompile against the full set of supported
adapters;
-such projects should be able to at least recreate an equivalent of this jar
file.
+The file commons-logging-api-nn.jar may be used as a declared dependency for
+projects that care about "transitive dependencies" and can't handle jar files
+such as commons-logging-nn.jar which have "optional" dependencies depending on
+how they are used. In addition, this jar file can be useful for "rebundlers" of
+JCL who recompile the source-code but who may not be able to recompile against
+the full set of supported adapters; such projects should be able to at least
+recreate an equivalent of this jar file.
== General Notes ==
@@ -108,18 +111,36 @@
this merely affects how those are presented in the source files. See
http://www.apache.org/legal/src-headers.html
+This release can be built/tested with maven 2.0.4. Maven 1.x and Ant continue
+to be supported.
+
== Bugs Fixed ==
* LOGGING-106: JCL 1.1 was completely unusable under a security policy that
prevented
access to system properties. Even signing/authorising the JCL library was not
sufficient. This has been fixed by (a) catching SecurityException and
falling back
to a sensible default, and (b) using AccessController so JCL can be granted
- privileges without needing the caller to have them too.
+ privileges without needing the caller to have them too.
* LOGGING-107: JCL 1.1 auto-discovery failed under a security policy that
prevented
calls to ClassLoader.getParent. Signing/authorising the JCL library was not
sufficient as an AccessController was not used. This has been fixed by
catching
SecurityException and using an AccessController.
+
+* MEV-392 (http://jira.codehaus.org/browse/MEV-392)
+ As JCL didn't provide a Maven2 pom.xml file, one was helpfully created by
people
+ not involved with the commons-logging project and published to the standard
maven
+ repositories. Unfortunately this pom declared normal dependencies on all the
logging
+ libraries that are supported by the core JCL distribution, meaning they all
get pulled
+ into a project that declares a dependency on JCL1.1. This release now
provides an
+ "official" pom.xml which declares these dependencies as optional so they
aren't
+ automatically included in projects that depend on JCL 1.1.1.
+
+* (no bug#): Fix thread-safety bug (SimpleDateFormat.format is not
thread-safe).
+ Thanks to Martin Wilson of bright-interactive for the bug report.
+
+* (no bug#): Security issue regarding access to context classloader (see
incompatibilities
+ section above).
DEPRECATIONS:
============
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
