Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package log4j for openSUSE:Factory checked
in at 2021-12-16 02:00:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/log4j (Old)
and /work/SRC/openSUSE:Factory/.log4j.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "log4j"
Thu Dec 16 02:00:40 2021 rev:32 rq:940655 version:2.16.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/log4j/log4j.changes 2021-12-10
21:53:34.154923989 +0100
+++ /work/SRC/openSUSE:Factory/.log4j.new.2520/log4j.changes 2021-12-16
02:01:13.363643417 +0100
@@ -1,0 +2,26 @@
+Wed Dec 15 02:06:55 UTC 2021 - Simon Lees <sfl...@suse.de>
+
+- Update to 2.16.0 [bsc#1193743, CVE-2021-45046]
+ * Features
+ - Add JsonTemplateLayout.
+ - Create module log4j-mongodb4 to use new major version 4 MongoDB driver.
+ - More flexible configuration of the Disruptor WaitStrategy. Thanks to
Stepan Gorban.
+ * Bugfixes and minor enhancements
+ - It was found that the fix to address CVE-2021-44228 in Apache
+ Log4j 2.15.0 was incomplete in certain non-default configurations.
+ This could allows attackers with control over Thread Context Map (MDC)
+ input data when the logging configuration uses a Pattern Layout with
+ either a Context Lookup (for example, $${ctx:loginId}) or a Thread
+ Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data
+ using a JNDI Lookup pattern resulting in a denial of service (DOS)
attack.
+ Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default.
+ Note that previous mitigations involving configuration such as setting
the
+ system property log4j2.noFormatMsgLookup to true do NOT mitigate this
+ specific vulnerability.
+ - Upstream initial fix for bsc#1193611, CVE-2021-44228
+ - Numerous other minor bugfixes
+ * Drop CVE-2021-44228.patch included upstream
+ * To make the bots happy this stream isn't affected by bsc#1193662
CVE-2021-4104 which is
+ 1.X only
+
+-------------------------------------------------------------------
Old:
----
CVE-2021-44228.patch
apache-log4j-2.13.2-src.tar.gz
apache-log4j-2.13.2-src.tar.gz.asc
New:
----
apache-log4j-2.16.0-src.tar.gz
apache-log4j-2.16.0-src.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ log4j.spec ++++++
--- /var/tmp/diff_new_pack.BBSv1r/_old 2021-12-16 02:01:13.935643764 +0100
+++ /var/tmp/diff_new_pack.BBSv1r/_new 2021-12-16 02:01:13.939643767 +0100
@@ -16,9 +16,8 @@
#
-%bcond_with extras
Name: log4j
-Version: 2.13.2
+Version: 2.16.0
Release: 0
Summary: Java logging package
License: Apache-2.0
@@ -26,13 +25,15 @@
Source0:
http://archive.apache.org/dist/logging/%{name}/%{version}/apache-%{name}-%{version}-src.tar.gz
Source1:
http://archive.apache.org/dist/logging/%{name}/%{version}/apache-%{name}-%{version}-src.tar.gz.asc
Patch1: logging-log4j-Remove-unsupported-EventDataConverter.patch
-Patch2: CVE-2021-44228.patch
BuildRequires: fdupes
BuildRequires: maven-local
+BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations)
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core)
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-databind)
BuildRequires: mvn(com.lmax:disruptor)
BuildRequires: mvn(com.sun.mail:javax.mail)
+BuildRequires: mvn(commons-logging:commons-logging)
+BuildRequires: mvn(jakarta.servlet:jakarta.servlet-api)
BuildRequires: mvn(org.apache.commons:commons-compress)
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
BuildRequires: mvn(org.apache.logging:logging-parent:pom:)
@@ -44,26 +45,6 @@
BuildRequires: mvn(org.slf4j:slf4j-ext)
Obsoletes: log4j-mini
BuildArch: noarch
-%if %{with extras}
-BuildRequires: mvn(com.datastax.cassandra:cassandra-driver-core)
-BuildRequires: mvn(com.fasterxml.jackson.dataformat:jackson-dataformat-xml)
-BuildRequires: mvn(com.fasterxml.jackson.dataformat:jackson-dataformat-yaml)
-BuildRequires: mvn(com.fasterxml.woodstox:woodstox-core)
-BuildRequires: mvn(commons-logging:commons-logging)
-BuildRequires: mvn(javax.servlet.jsp:jsp-api)
-BuildRequires: mvn(javax.servlet:javax.servlet-api)
-BuildRequires: mvn(org.apache.commons:commons-csv)
-BuildRequires: mvn(org.apache.tomcat:tomcat-catalina)
-BuildRequires: mvn(org.eclipse.jetty:jetty-util)
-BuildRequires: mvn(org.eclipse.persistence:javax.persistence)
-BuildRequires: mvn(org.jboss.spec.javax.jms:jboss-jms-api_1.1_spec)
-BuildRequires: mvn(org.lightcouch:lightcouch)
-BuildRequires: mvn(org.zeromq:jeromq)
-BuildRequires: mvn(sun.jdk:jconsole)
-# Explicit requires for javapackages-tools since log4j-jmx script
-# uses /usr/share/java-utils/java-functions
-Requires: javapackages-tools
-%endif
%description
Log4j is a tool to help the programmer output log statements to a
@@ -81,47 +62,6 @@
%description jcl
Apache Log4j Commons Logging Bridge.
-%if %{with extras}
-%package osgi
-Summary: Apache Log4J Core OSGi Bundles
-
-%description osgi
-Apache Log4J Core OSGi Bundles.
-
-%package taglib
-Summary: Apache Log4j Tag Library
-
-%description taglib
-Apache Log4j Tag Library for Web Applications.
-
-%package jmx-gui
-Summary: Apache Log4j JMX GUI
-Requires: java-devel
-
-%description jmx-gui
-Swing-based client for remotely editing the log4j configuration and remotely
-monitoring StatusLogger output. Includes a JConsole plug-in.
-
-%package web
-Summary: Apache Log4j Web
-
-%description web
-Support for Log4j in a web servlet container.
-
-%package bom
-Summary: Apache Log4j BOM
-
-%description bom
-Apache Log4j 2 Bill of Material
-
-%package nosql
-Summary: Apache Log4j NoSql
-
-%description nosql
-Use NoSQL databases such as MongoDB and CouchDB to append log messages.
-
-%endif
-
%package javadoc
Summary: API documentation for %{name}
Obsoletes: %{name}-manual < %{version}
@@ -177,9 +117,9 @@
# we don't have commons-dbcp2
%pom_disable_module %{name}-jdbc-dbcp2
-# We have mongodb 4
-%pom_disable_module %{name}-mongodb2
+# We do not have mongodb
%pom_disable_module %{name}-mongodb3
+%pom_disable_module %{name}-mongodb4
# System scoped dep provided by JDK
%pom_remove_dep :jconsole %{name}-jmx-gui
@@ -192,9 +132,8 @@
%pom_remove_plugin :apache-rat-plugin %{name}-bom
# tests are disabled
-%pom_remove_plugin :maven-failsafe-plugin
+%pom_remove_plugin -r :maven-failsafe-plugin
-%if %{without extras}
%pom_disable_module %{name}-taglib
%pom_disable_module %{name}-jmx-gui
%pom_disable_module %{name}-bom
@@ -206,6 +145,7 @@
%pom_disable_module %{name}-couchdb
%pom_disable_module %{name}-cassandra
%pom_disable_module %{name}-appserver
+%pom_disable_module %{name}-spring-boot
%pom_disable_module %{name}-spring-cloud-config
%pom_disable_module %{name}-kubernetes
%pom_disable_module %{name}-jpl
@@ -224,7 +164,6 @@
rm log4j-1.2-api/src/main/java/org/apache/log4j/builders/layout/*Xml*.java
rm log4j-api/src/main/java/org/apache/logging/log4j/util/Activator.java
rm -r log4j-1.2-api/src/main/java/org/apache/log4j/or/jms
-%endif
%{mvn_alias} :%{name}-1.2-api %{name}:%{name}
@@ -253,10 +192,6 @@
%mvn_install
%fdupes -s %{buildroot}%{_javadocdir}
-%if %{with extras}
-%jpackage_script org.apache.logging.log4j.jmx.gui.ClientGUI '' ''
%{name}/%{name}-jmx-gui:%{name}/%{name}-core %{name}-jmx false
-%endif
-
%files -f .mfiles
%dir %{_javadir}/%{name}
%license LICENSE.txt
@@ -266,19 +201,6 @@
%files jcl -f .mfiles-jcl
-%if %{with extras}
-%files taglib -f .mfiles-taglib
-
-%files web -f .mfiles-web
-
-%files bom -f .mfiles-bom
-
-%files nosql -f .mfiles-nosql
-
-%files jmx-gui -f .mfiles-jmx-gui
-%{_bindir}/%{name}-jmx
-%endif
-
%files javadoc -f .mfiles-javadoc
%license LICENSE.txt
%doc NOTICE.txt
++++++ apache-log4j-2.13.2-src.tar.gz -> apache-log4j-2.16.0-src.tar.gz ++++++
/work/SRC/openSUSE:Factory/log4j/apache-log4j-2.13.2-src.tar.gz
/work/SRC/openSUSE:Factory/.log4j.new.2520/apache-log4j-2.16.0-src.tar.gz
differ: char 13, line 1
