This is an automated email from the ASF dual-hosted git repository. rpopma pushed a commit to branch log4j-2.12 in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/log4j-2.12 by this push: new 7226a94 [DOC] Update release notes for 2.12.3 7226a94 is described below commit 7226a94879eba7c15b0c46a006794c9bae48c4a4 Author: rpopma <rpo...@apache.org> AuthorDate: Mon Dec 20 10:01:42 2021 +0900 [DOC] Update release notes for 2.12.3 --- RELEASE-NOTES.md | 42 +++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md index 07dddce..dce21db 100644 --- a/RELEASE-NOTES.md +++ b/RELEASE-NOTES.md @@ -14,9 +14,9 @@ See the License for the specific language governing permissions and limitations under the License. --> -# Apache Log4j 2.12.2 Release Notes +# Apache Log4j 2.12.3 Release Notes -The Apache Log4j 2 team is pleased to announce the Log4j 2.12.2 release! +The Apache Log4j 2 team is pleased to announce the Log4j 2.12.3 release! Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides @@ -27,31 +27,47 @@ temporary objects) while logging. In addition, Log4j 2 will not lose events whil The artifacts may be downloaded from https://logging.apache.org/log4j/2.x/download.html. -This release contains bugfixes and minor enhancements. +This release contains the changes noted below: + +* Address CVE-2021-45105. +* Require components that use JNDI to be enabled individually via system properties. +* Remove LDAP and LDAPS as supported protocols from JNDI. Due to a break in compatibility in the SLF4J binding, Log4j now ships with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl should be used with SLF4J 1.8.x and -later. +later. SLF4J-2.0.0 alpha releases are not fully supported. See https://issues.apache.org/jira/browse/LOG4J2-2975 and +https://jira.qos.ch/browse/SLF4J-511. -This release addresses CVE-2021-44228 for users still using Java 7 by disabling JNDI by default, only allowing the java -protocol when JNDI is enabled, making the JNDI Lookup inoperable, and removing the message lookup capability. +Some of the changes in Log4j 2.12.3 include: -The Log4j 2.12.2 API, as well as many core components, maintains binary compatibility with previous releases. +* Disable recursive evaluation of Lookups during log event processing. Recursive evaluation is still allowed while +generating the configuration. +* The JndiLookup, JndiContextSelector, and JMSAppender now require individual system properties to be enabled. +* Removed support for the LDAP and LDAPS protocols via JNDI. -## GA Release 2.12.2 +## GA Release 2.12.3 Changes in this version include: ### Fixed Bugs -* [LOG4J-3220](https://issues.apache.org/jira/browse/LOG4J-3220): -Disable JNDI by default, remove JNDI Lookup, remove message lookups. When enabled JNDI only supports the - java protocol. +* [LOG4J2-3230](https://issues.apache.org/jira/browse/LOG4J2-3230): + Fix string substitution recursion. +* [LOG4J2-3242](https://issues.apache.org/jira/browse/LOG4J2-3242): + Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'. +* [LOG4J2-3241](https://issues.apache.org/jira/browse/LOG4J2-3241): + Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin. +* [LOG4J2-3247](https://issues.apache.org/jira/browse/LOG4J2-3247): + PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters. +* [LOG4J2-3249](https://issues.apache.org/jira/browse/LOG4J2-3249): + Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514. +* [LOG4J2-3237](https://issues.apache.org/jira/browse/LOG4J2-3237): + Log4j 1.2 bridge API hard codes the Syslog protocol to TCP. --- -Apache Log4j 2.12.2 requires a minimum of Java 7 to build and run. Log4j 2.3 was the +Apache Log4j 2.12.3 requires a minimum of Java 7 to build and run. Log4j 2.3 was the last release that supported Java 6. Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api component, however it @@ -62,4 +78,4 @@ with log4j 1.x. For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Log4j 2 website: -https://logging.apache.org/log4j/2.x/ \ No newline at end of file +https://logging.apache.org/log4j/2.x/