"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "RELEASE-NOTES.md" between
apache-log4j-2.12.3-src.tar.gz and apache-log4j-2.12.4-src.tar.gz

About: Apache Log4j 2 is a logging library for Java. Source distribution (Java).
Caution: Release 2.12.3 is the last 2.x release to support Java 7 (Java 8 users should use 2.17.0 or greater) and have fixed a critical remote code execution vulnerability (CVE-2021-44228).

RELEASE-NOTES.md  (apache-log4j-2.12.3-src):RELEASE-NOTES.md  (apache-log4j-2.12.4-src)
skipping to change at line 17 skipping to change at line 17
the License. You may obtain a copy of the License at the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
--> -->
# Apache Log4j 2.12.3 Release Notes # Apache Log4j 2.12.4 Release Notes
The Apache Log4j 2 team is pleased to announce the Log4j 2.12.3 release! The Apache Log4j 2 team is pleased to announce the Log4j 2.12.4 release!
Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade
to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides
many other modern features such as support for Markers, lambda expressions for l azy logging, many other modern features such as support for Markers, lambda expressions for l azy logging,
property substitution using Lookups, multiple patterns on a PatternLayout and as ynchronous property substitution using Lookups, multiple patterns on a PatternLayout and as ynchronous
Loggers. Another notable Log4j 2 feature is the ability to be "garbage-free" (av oid allocating Loggers. Another notable Log4j 2 feature is the ability to be "garbage-free" (av oid allocating
temporary objects) while logging. In addition, Log4j 2 will not lose events whil e reconfiguring. temporary objects) while logging. In addition, Log4j 2 will not lose events whil e reconfiguring.
The artifacts may be downloaded from https://logging.apache.org/log4j/2.x/downlo ad.html. The artifacts may be downloaded from https://logging.apache.org/log4j/2.x/downlo ad.html.
This release contains the changes noted below: This release contains the changes noted below:
* Address CVE-2021-45105. * Address CVE-2021-44832.
* Require components that use JNDI to be enabled individually via system propert
ies.
* Remove LDAP and LDAPS as supported protocols from JNDI.
Due to a break in compatibility in the SLF4J binding, Log4j now ships with two v
ersions of the SLF4J to Log4j adapters.
log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-i
mpl should be used with SLF4J 1.8.x and
later. SLF4J-2.0.0 alpha releases are not fully supported. See https://issues.ap
ache.org/jira/browse/LOG4J2-2975 and
https://jira.qos.ch/browse/SLF4J-511.
Some of the changes in Log4j 2.12.3 include:
* Disable recursive evaluation of Lookups during log event processing. Recursive
evaluation is still allowed while
generating the configuration.
* The JndiLookup, JndiContextSelector, and JMSAppender now require individual sy
stem properties to be enabled.
* Removed support for the LDAP and LDAPS protocols via JNDI.
## GA Release 2.12.3 This release addresses CVE-2021-44832 for users still using Java 7.
The Log4j 2.12.4 API, as well as many core components, maintains binary compatib
ility with previous releases.
## GA Release 2.12.4
Changes in this version include: Changes in this version include:
### Fixed Bugs ### Fixed Bugs
* [LOG4J2-3230](https://issues.apache.org/jira/browse/LOG4J2-3230): * [LOG4J2-3293](https://issues.apache.org/jira/browse/LOG4J2-3293):
Fix string substitution recursion. JdbcAppender now uses JndiManager to access JNDI resources. JNDI is only enabled
* [LOG4J2-3242](https://issues.apache.org/jira/browse/LOG4J2-3242): when system property
Limit JNDI to the java protocol only. JNDI will remain disabled by default. log4j2.enableJndiJdbc is set to true.
Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLo
okup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'.
* [LOG4J2-3241](https://issues.apache.org/jira/browse/LOG4J2-3241):
Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it ca
uses problems with the Maven enforcer plugin.
* [LOG4J2-3247](https://issues.apache.org/jira/browse/LOG4J2-3247):
PropertiesConfiguration.parseAppenderFilters NPE when parsing properties fil
e filters.
* [LOG4J2-3249](https://issues.apache.org/jira/browse/LOG4J2-3249):
Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514.
* [LOG4J2-3237](https://issues.apache.org/jira/browse/LOG4J2-3237):
Log4j 1.2 bridge API hard codes the Syslog protocol to TCP.
--- ---
Apache Log4j 2.12.3 requires a minimum of Java 7 to build and run. Log4j 2.3 was the Apache Log4j 2.12.4 requires a minimum of Java 7 to build and run. Log4j 2.3 was the
last release that supported Java 6. last release that supported Java 6.
Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api compone nt, however it Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api compone nt, however it
does not implement some of the very implementation specific classes and methods. The package does not implement some of the very implementation specific classes and methods. The package
names and Maven groupId have been changed to org.apache.logging.log4j to avoid a ny conflicts names and Maven groupId have been changed to org.apache.logging.log4j to avoid a ny conflicts
with log4j 1.x. with log4j 1.x.
For complete information on Apache Log4j 2, including instructions on how to sub mit bug For complete information on Apache Log4j 2, including instructions on how to sub mit bug
reports, patches, or suggestions for improvement, see the Apache Apache Log4j 2 website: reports, patches, or suggestions for improvement, see the Apache Apache Log4j 2 website:
 End of changes. 6 change blocks. 
41 lines changed or deleted 14 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)