"Fossies" - the Fresh Open Source Software Archive 
Source code changes of the file "RELEASE-NOTES.md" between
apache-log4j-2.12.3-src.tar.gz and apache-log4j-2.12.4-src.tar.gz
About: Apache Log4j 2 is a logging library for Java. Source distribution (Java). Caution: Release 2.12.3 is the last 2.x release to support Java 7 (Java 8 users should use 2.17.0 or greater) and have fixed a critical remote code execution vulnerability (CVE-2021-44228).
| RELEASE-NOTES.md (apache-log4j-2.12.3-src) | : | RELEASE-NOTES.md (apache-log4j-2.12.4-src) | ||
|---|---|---|---|---|
| skipping to change at line 17 | skipping to change at line 17 | |||
| the License. You may obtain a copy of the License at | the License. You may obtain a copy of the License at | |||
| http://www.apache.org/licenses/LICENSE-2.0 | http://www.apache.org/licenses/LICENSE-2.0 | |||
| Unless required by applicable law or agreed to in writing, software | Unless required by applicable law or agreed to in writing, software | |||
| distributed under the License is distributed on an "AS IS" BASIS, | distributed under the License is distributed on an "AS IS" BASIS, | |||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |||
| See the License for the specific language governing permissions and | See the License for the specific language governing permissions and | |||
| limitations under the License. | limitations under the License. | |||
| --> | --> | |||
| # Apache Log4j 2.12.3 Release Notes | # Apache Log4j 2.12.4 Release Notes | |||
| The Apache Log4j 2 team is pleased to announce the Log4j 2.12.3 release! | The Apache Log4j 2 team is pleased to announce the Log4j 2.12.4 release! | |||
| Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade | Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade | |||
| to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides | to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides | |||
| many other modern features such as support for Markers, lambda expressions for l azy logging, | many other modern features such as support for Markers, lambda expressions for l azy logging, | |||
| property substitution using Lookups, multiple patterns on a PatternLayout and as ynchronous | property substitution using Lookups, multiple patterns on a PatternLayout and as ynchronous | |||
| Loggers. Another notable Log4j 2 feature is the ability to be "garbage-free" (av oid allocating | Loggers. Another notable Log4j 2 feature is the ability to be "garbage-free" (av oid allocating | |||
| temporary objects) while logging. In addition, Log4j 2 will not lose events whil e reconfiguring. | temporary objects) while logging. In addition, Log4j 2 will not lose events whil e reconfiguring. | |||
| The artifacts may be downloaded from https://logging.apache.org/log4j/2.x/downlo ad.html. | The artifacts may be downloaded from https://logging.apache.org/log4j/2.x/downlo ad.html. | |||
| This release contains the changes noted below: | This release contains the changes noted below: | |||
| * Address CVE-2021-45105. | * Address CVE-2021-44832. | |||
| * Require components that use JNDI to be enabled individually via system propert | ||||
| ies. | ||||
| * Remove LDAP and LDAPS as supported protocols from JNDI. | ||||
| Due to a break in compatibility in the SLF4J binding, Log4j now ships with two v | ||||
| ersions of the SLF4J to Log4j adapters. | ||||
| log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-i | ||||
| mpl should be used with SLF4J 1.8.x and | ||||
| later. SLF4J-2.0.0 alpha releases are not fully supported. See https://issues.ap | ||||
| ache.org/jira/browse/LOG4J2-2975 and | ||||
| https://jira.qos.ch/browse/SLF4J-511. | ||||
| Some of the changes in Log4j 2.12.3 include: | ||||
| * Disable recursive evaluation of Lookups during log event processing. Recursive | ||||
| evaluation is still allowed while | ||||
| generating the configuration. | ||||
| * The JndiLookup, JndiContextSelector, and JMSAppender now require individual sy | ||||
| stem properties to be enabled. | ||||
| * Removed support for the LDAP and LDAPS protocols via JNDI. | ||||
| ## GA Release 2.12.3 | This release addresses CVE-2021-44832 for users still using Java 7. | |||
| The Log4j 2.12.4 API, as well as many core components, maintains binary compatib | ||||
| ility with previous releases. | ||||
| ## GA Release 2.12.4 | ||||
| Changes in this version include: | Changes in this version include: | |||
| ### Fixed Bugs | ### Fixed Bugs | |||
| * [LOG4J2-3230](https://issues.apache.org/jira/browse/LOG4J2-3230): | * [LOG4J2-3293](https://issues.apache.org/jira/browse/LOG4J2-3293): | |||
| Fix string substitution recursion. | JdbcAppender now uses JndiManager to access JNDI resources. JNDI is only enabled | |||
| * [LOG4J2-3242](https://issues.apache.org/jira/browse/LOG4J2-3242): | when system property | |||
| Limit JNDI to the java protocol only. JNDI will remain disabled by default. | log4j2.enableJndiJdbc is set to true. | |||
| Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLo | ||||
| okup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'. | ||||
| * [LOG4J2-3241](https://issues.apache.org/jira/browse/LOG4J2-3241): | ||||
| Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it ca | ||||
| uses problems with the Maven enforcer plugin. | ||||
| * [LOG4J2-3247](https://issues.apache.org/jira/browse/LOG4J2-3247): | ||||
| PropertiesConfiguration.parseAppenderFilters NPE when parsing properties fil | ||||
| e filters. | ||||
| * [LOG4J2-3249](https://issues.apache.org/jira/browse/LOG4J2-3249): | ||||
| Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514. | ||||
| * [LOG4J2-3237](https://issues.apache.org/jira/browse/LOG4J2-3237): | ||||
| Log4j 1.2 bridge API hard codes the Syslog protocol to TCP. | ||||
| --- | --- | |||
| Apache Log4j 2.12.3 requires a minimum of Java 7 to build and run. Log4j 2.3 was the | Apache Log4j 2.12.4 requires a minimum of Java 7 to build and run. Log4j 2.3 was the | |||
| last release that supported Java 6. | last release that supported Java 6. | |||
| Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api compone nt, however it | Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api compone nt, however it | |||
| does not implement some of the very implementation specific classes and methods. The package | does not implement some of the very implementation specific classes and methods. The package | |||
| names and Maven groupId have been changed to org.apache.logging.log4j to avoid a ny conflicts | names and Maven groupId have been changed to org.apache.logging.log4j to avoid a ny conflicts | |||
| with log4j 1.x. | with log4j 1.x. | |||
| For complete information on Apache Log4j 2, including instructions on how to sub mit bug | For complete information on Apache Log4j 2, including instructions on how to sub mit bug | |||
| reports, patches, or suggestions for improvement, see the Apache Apache Log4j 2 website: | reports, patches, or suggestions for improvement, see the Apache Apache Log4j 2 website: | |||
| End of changes. 6 change blocks. | ||||
| 41 lines changed or deleted | 14 lines changed or added | |||