Author: rgoers
Date: Wed Dec 18 22:32:36 2019
New Revision: 1054230
Log:
Publish security vulnerability and problems on Java 9
Modified:
websites/production/logging/content/log4j/log4j-1.2.17/index.html
Modified: websites/production/logging/content/log4j/log4j-1.2.17/index.html
==============================================================================
--- websites/production/logging/content/log4j/log4j-1.2.17/index.html (original)
+++ websites/production/logging/content/log4j/log4j-1.2.17/index.html Wed Dec
18 22:32:36 2019
@@ -152,23 +152,12 @@
<div id="bodyColumn">
<div id="contentBox">
<!-- Licensed to the Apache Software Foundation (ASF) under one or
more --><!-- contributor license agreements. See the NOTICE file distributed
with --><!-- this work for additional information regarding copyright
ownership. --><!-- The ASF licenses this file to You under the Apache License,
Version 2.0 --><!-- (the "License"); you may not use this file except in
compliance with --><!-- the License. You may obtain a copy of the License at
--><!-- --><!-- http://www.apache.org/licenses/LICENSE-2.0 --><!-- --><!--
Unless required by applicable law or agreed to in writing, software --><!--
distributed under the License is distributed on an "AS IS" BASIS, --><!--
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--><!-- See the License for the specific language governing permissions and
--><!-- limitations under the License. -->
-<div align="center">
-<br><br>
-<a href="https://jaxlondon.com/jax-awards/";><img
src="images/VoteLog4j2-JAX2016InnovationAward.jpg"></a>
-<p>
-<table border="1" cellspacing="0" align="center" style="width:400px">
-<tr>
-<td align="center">
-Log4j 2 is nominated for the JAX Innovation Awards! <br><br>
-Do you like its performance, garbage-free logging, and easy and flexible
configuration?<br><br>
-Log4j 2 needs your love.
-<a href="https://jaxlondon.com/jax-awards/";>Vote for Log4j 2!</a><br><br>
-
-</td>
-</tr>
-</table>
-</div>
- <div class="section"><h2>End of Life</h2><p>On August 5, 2015 the
Logging Services Project Management Committee announced that Log4j 1.x had
reached end of life. For complete text of the announcement please see the <a
href="http://blogs.apache.org/foundation/entry/apache_logging_services_project_announces";>Apache
Blog</a>. Users of Log4j 1 are recommended to upgrade to <a
class="externalLink"
href="http://logging.apache.org/log4j/2.x/index.html";>Apache Log4j 2</a>.</p>
+ <div class="section">
+ <h2>End of Life</h2><p>On August 5, 2015 the Logging Services
Project Management Committee announced that Log4j 1.x had reached end of life.
For complete text of the announcement please see the <a
href="http://blogs.apache.org/foundation/entry/apache_logging_services_project_announces";>Apache
Blog</a>. Users of Log4j 1 are recommended to upgrade to <a
class="externalLink"
href="http://logging.apache.org/log4j/2.x/index.html";>Apache Log4j 2</a>.</p>
+ <h2>Security Vulnerabilities</h2>
+ <p>A security vulnerability, <a
href="https://www.cvedetails.com/cve/CVE-2019-17571/";>CVE-2019-17571</a> has
been identified against Log4j 1. Since Log4j 1 is no longer maintained this
issue will not be fixed. Users are urged to upgrade to Log4j 2.</p>
+ <h2>Java Version Incompatibilities</h2>
+ <p>The version detection algorithm changed in Java 9 which
causes the MDC not to work properly. See <a
href="https://blogs.apache.org/logging/entry/moving_on_to_log4j_2";>Log4j 1.2 is
broken on Java 9</a> for details.</p>
<h2>Apache log4j™ 1.2<a
name="Apache_log4j_1.2"></a></h2><p>Welcome to Apache log4j, a logging library
for Java. Apache log4j is an Apache Software Foundation Project and developed
by a dedicated team of Committers of the Apache Software Foundation. For more
info, please see <a class="externalLink" href="http://www.apache.org";>The
Apache Software Foundation</a>. Apache log4j is also part of a project which is
known as <a class="externalLink" href="http://logging.apache.org";>Apache
Logging</a>. Please see the <a href="/license.html">License</a>.</p><p>If you
are interested in the recent changes, visit our <a
href="/changes-report.html">changes report</a>.</p>
<div class="section"><h3>Why logging?<a
name="Why_logging"></a></h3><p>Inserting log statements into your code is a
low-tech method for debugging it. It may also be the only way because debuggers
are not always available or applicable. This is often the case for distributed
applications.</p><p>On the other hand, some people argue that log statements
pollute source code and decrease legibility. (We believe that the contrary is
true). In the Java language where a preprocessor is not available, log
statements increase the size of the code and reduce its speed, even when
logging is turned off. Given that a reasonably sized application may contain
thousands of log statements, speed is of particular importance.</p></div>
<div class="section"><h3>Why log4j?<a
name="Why_log4j"></a></h3><p>With log4j it is possible to enable logging at
runtime without modifying the application binary. The log4j package is designed
so that these statements can remain in shipped code without incurring a heavy
performance cost. Logging behavior can be controlled by editing a configuration
file, without touching the application binary.</p><p>Logging equips the
developer with detailed context for application failures. On the other hand,
testing provides quality assurance and confidence in the application. Logging
and testing should not be confused. They are complementary. When logging is
wisely used, it can prove to be an essential tool.</p><p>One of the distinctive
features of log4j is the notion of inheritance in loggers. Using a logger
hierarchy it is possible to control which log statements are output at
arbitrarily fine granularity but also great ease. This helps to reduce the
volume of logged output and
the cost of logging.</p><p>The target of the log output can be a file, an
OutputStream, a java.io.Writer, a remote log4j server, a remote Unix Syslog
daemon, or many other output targets.</p></div>
