This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/asf-staging by this push: new e2287322 Automatic Site Publish by Buildbot e2287322 is described below commit e2287322ee4d9b6cf4fada3e8b79b2b5bb08a9e8 Author: buildbot <us...@infra.apache.org> AuthorDate: Mon Nov 13 08:37:44 2023 +0000 Automatic Site Publish by Buildbot --- content/blog/2023/10/11/release.html | 14 +- content/blog/index.html | 14 +- content/charter.html | 14 +- content/dormant.html | 14 +- content/feed.xml | 2 +- content/guidelines.html | 14 +- content/index.html | 14 +- content/mailing-lists.html | 14 +- content/security.html | 14 +- .../10/11/release.html => security/index.html} | 115 +++- content/security/known-vulnerabilities.html | 644 +++++++++++++++++++++ content/support.html | 426 ++++++++++++++ content/team-list.html | 14 +- content/what-is-logging.html | 14 +- 14 files changed, 1285 insertions(+), 42 deletions(-) diff --git a/content/blog/2023/10/11/release.html b/content/blog/2023/10/11/release.html index 04873f98..1f3f03f6 100644 --- a/content/blog/2023/10/11/release.html +++ b/content/blog/2023/10/11/release.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> diff --git a/content/blog/index.html b/content/blog/index.html index cd7407b0..aec62493 100644 --- a/content/blog/index.html +++ b/content/blog/index.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> diff --git a/content/charter.html b/content/charter.html index 73776b75..720f854c 100644 --- a/content/charter.html +++ b/content/charter.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> diff --git a/content/dormant.html b/content/dormant.html index 753db0c3..0c6d1337 100644 --- a/content/dormant.html +++ b/content/dormant.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> diff --git a/content/feed.xml b/content/feed.xml index 4147c1cf..5bbec46d 100644 --- a/content/feed.xml +++ b/content/feed.xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.2.2">Jekyll</generator><link href="/feed.xml" rel="self" type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" /><updated>2023-11-02T18:21:26+00:00</updated><id>/feed.xml</id><title type="html">Apache Software Foundation - Logging Services</title><subtitle>Write an awesome description for your new site here. You can edit this line in _ [...] +<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.2.2">Jekyll</generator><link href="/feed.xml" rel="self" type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" /><updated>2023-11-13T08:37:43+00:00</updated><id>/feed.xml</id><title type="html">Apache Software Foundation - Logging Services</title><subtitle>Write an awesome description for your new site here. You can edit this line in _ [...] <h2 id="release">Release</h2> <div class="sectionbody"> <div class="paragraph"> diff --git a/content/guidelines.html b/content/guidelines.html index 52511860..4c1ff722 100644 --- a/content/guidelines.html +++ b/content/guidelines.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> diff --git a/content/index.html b/content/index.html index ca0abcdd..b9b4025e 100644 --- a/content/index.html +++ b/content/index.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> diff --git a/content/mailing-lists.html b/content/mailing-lists.html index fd40e43f..65cecfed 100644 --- a/content/mailing-lists.html +++ b/content/mailing-lists.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> diff --git a/content/security.html b/content/security.html index ecd88527..8f5cc7d1 100644 --- a/content/security.html +++ b/content/security.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> diff --git a/content/blog/2023/10/11/release.html b/content/security/index.html similarity index 59% copy from content/blog/2023/10/11/release.html copy to content/security/index.html index 04873f98..1bf8ae22 100644 --- a/content/blog/2023/10/11/release.html +++ b/content/security/index.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> @@ -135,37 +145,100 @@ <div class="container"> <div class="content"> - <div class="hero-unit"> - - - <h1>Log4j 2.21.0 released</h1> - <p>We are pleased to announce the Log4j 2.21.0 release!</p> - </div> - <time itemprop="datePublished" datetime="2023-10-11"> - 11 Oct 2023 - </time> - - <div itemprop="text"><div class="sect1"> -<h2 id="release">Release</h2> + <div class="sect1"> +<h2 id="security">Security</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>The Apache Logging Services Security Team takes security seriously. +This allows our users to place their trust in Log4j for protecting their mission-critical data. +In this page we will help you find guidance on security-related issues and access to known vulnerabilities.</p> +</div> +<div class="admonitionblock warning"> +<table> +<tr> +<td class="icon"> +<div class="title">Warning</div> +</td> +<td class="content"> +<div class="paragraph"> +<p><a href="http://logging.apache.org/log4j/1.x">Log4j 1</a> has <a href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">reached End of Life</a> in 2015, and is no longer supported. +Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed. +Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain security fixes.</p> +</div> +</td> +</tr> +</table> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="support">Getting support</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>If you need help on building or configuring any logging component such as Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please use our <a href="../support.html#discussions">user support channels</a>.</p> +</div> +<div class="admonitionblock tip"> +<table> +<tr> +<td class="icon"> +<div class="title">Tip</div> +</td> +<td class="content"> +<div class="paragraph"> +<p>If you need to apply a source code patch, use the building instructions for the Log4j version that you are using. +These instructions can be found in <code>BUILDING.md</code> distributed with the sources.</p> +</div> +</td> +</tr> +</table> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="reporting">Reporting vulnerabilities</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has a security impact, or if the descriptions here are incomplete, please report them <strong>privately</strong> to <a href="mailto:secur...@logging.apache.org">the Logging Services Security Team</a>.</p> +</div> +<div class="admonitionblock warning"> +<table> +<tr> +<td class="icon"> +<div class="title">Warning</div> +</td> +<td class="content"> +<div class="paragraph"> +<p>The threat model that Log4j uses considers configuration files as safe input controlled by the programmer; <strong>potential vulnerabilities that require the ability to modify a configuration are not considered vulnerabilities</strong> as the required access to do so implies the attacker can execute arbitrary code.</p> +</div> +</td> +</tr> +</table> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="policy">Vulnerability handling policy</h2> <div class="sectionbody"> <div class="paragraph"> -<p>The Apache Log4j 2 team is pleased to announce the Log4j 2.21.0 release!</p> +<p>The Apache Logging Services Security Team follows the <a href="https://www.apache.org/security/committers.html">ASF Project Security</a> guide for handling security vulnerabilities.</p> </div> <div class="paragraph"> -<p>It contains many improvements over the previous version. Most notably, it…​</p> +<p>Reported security vulnerabilities are subject to voting (by means of <a href="https://logging.apache.org/guidelines.html"><em>lazy approval</em></a>, preferably) in the private <a href="mailto:secur...@logging.apache.org">security mailing list</a> before creating a CVE and populating its associated content. +This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.</p> </div> </div> </div> <div class="sect1"> -<h2 id="changes">Changes</h2> +<h2 id="vdr">Vulnerability Disclosure Report (VDR)</h2> <div class="sectionbody"> <div class="paragraph"> -<p>sss</p> +<p>Starting with version <code>2.22.0</code>, Log4j distributes <a href="https://cyclonedx.org/capabilities/vdr">CycloneDX Software Bill of Materials (SBOM)</a> along with each deployed artifact. +Produced SBOMs contain BOM-links referring to a <a href="https://cyclonedx.org/capabilities/vdr">CycloneDX Vulnerability Disclosure Report (VDR)</a> that Apache Logging Services uses for all projects it maintains. +All this is streamlined by <code>logging-parent</code>, see <a href="https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom">its website</a> for details.</p> +</div> </div> </div> -</div></div> </div> - <div class="footer"> <p> @@ -184,4 +257,4 @@ </div> </body> -</html> \ No newline at end of file +</html> diff --git a/content/security/known-vulnerabilities.html b/content/security/known-vulnerabilities.html new file mode 100644 index 00000000..d629e928 --- /dev/null +++ b/content/security/known-vulnerabilities.html @@ -0,0 +1,644 @@ +<!DOCTYPE html> +<html lang="en"> +<head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <title>Apache Logging Services</title> + + <link href="/css/asciidoctor-default.css" rel="stylesheet" type="text/css" /> + <link href="/css/bootstrap.min.css" rel="stylesheet" type="text/css" /> + <link href="/css/site.css" rel="stylesheet" type="text/css" /> + + <script src="/js/jquery.min.js"></script> + <script src="/js/bootstrap.min.js"></script> + <script src="/js/site.js"></script> + <link rel="alternate" type="application/rss+xml" title="ASF Loggin Services" href="/feed.xml"> +</head> + + +<body> +<div class="navbar"> + <div class="navbar-inner"> + <div class="container"> + <a class="brand" href="/">Apache Logging Services™</a> + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">About<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/guidelines.html">Guidelines</a></li> + <li><a href="/charter.html">Charter</a></li> + <li><a href="/team-list.html">Team</a></li> + <li><a href="/support.html">Support & Help</a></li> + <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> + <li><a href="/what-is-logging.html">What is logging?</a> + </li> + </ul> + </li> + </ul> + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Projects<b class="caret"></b></a> + <ul class="dropdown-menu"> + + + <li><a href="/log4j/2.x/index.html">Apache Log4j™</a></li> + + + + <li><a href="/log4j/kotlin/index.html">Apache Log4j™ for Kotlin</a></li> + + + + <li><a href="/log4j/scala/index.html">Apache Log4j™ for Scala</a></li> + + + + <li><a href="/log4cxx">Apache log4cxx</a></li> + + + + <li><a href="/chainsaw/2.x/index.html">Apache chainsaw</a></li> + + + + <li><a href="/log4j-audit/latest/index.html">Apache Log4j Audit</a></li> + + + + <li><a href="/log4net">Apache Log4Net</a></li> + + + + + + + + + </ul> + </li> + </ul> + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Dormant<b class="caret"></b></a> + <ul class="dropdown-menu"> + + + + + + + + + + + + + + + + + <li><a href="/log4j/1.2/index.html">Apache Log4j 1.x</a></li> + + + + <li><a href="/log4j/extras/index.html">Apache log4j 1 extras</a></li> + + + + <li><a href="/log4php">Apache log4php</a></li> + + + </ul> + </li> + </ul> + <ul class="nav"> + <li><a href="/blog">Blog</a></li> + </ul> + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + + <ul class="nav pull-right"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a target="_blank" href="https://www.apache.org/">Home</a></li> + <li><a target="_blank" href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a target="_blank" href="https://www.apache.org/licenses/">License</a></li> + <li><a target="_blank" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> + <li><a target="_blank" href="https://www.apache.org/events/current-event.html">Current Events</a></li> + <li><a target="_blank" href="https://www.apache.org/security/">Security</a></li> + <li><a target="_blank" href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy</a></li> + </ul> + </li> + </ul> + </div> + </div> +</div> + + +<div class="container"> + <div class="content"> + <div class="sect1"> +<h2 id="vulnerabilities">Known vulnerabilities</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>The Logging Services Security Team believes that accuracy, completeness and availability of security information is essential for our users. +We choose to pool all information on this one page, allowing easy searching for security vulnerabilities over a range of criteria.</p> +</div> +<div class="admonitionblock note"> +<table> +<tr> +<td class="icon"> +<div class="title">Note</div> +</td> +<td class="content"> +<div class="paragraph"> +<p>We adhere to <a href="https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html">the Maven version range syntax</a> while sharing versions of affected components. +We only extend this mathematical notation with set union operator (i.e., <code>∪</code>) to denote union of multiple ranges.</p> +</div> +</td> +</tr> +</table> +</div> +<div class="sect2"> +<h3 id="CVE-2021-44832"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832">CVE-2021-44832</a></h3> +<table class="tableblock frame-all grid-all stretch"> +<colgroup> +<col style="width: 16.6666%;"> +<col style="width: 83.3334%;"> +</colgroup> +<tbody> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">JDBC appender is vulnerable to remote code execution in certain configurations</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">6.6 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0, 2.17.1)</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java 7), or <code>2.17.1</code> (for Java 8 and later)</p></td> +</tr> +</tbody> +</table> +<div class="sect3"> +<h4 id="CVE-2021-44832-description">Description</h4> +<div class="paragraph"> +<p>An attacker with write access to the logging configuration can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. +This issue is fixed by limiting JNDI data source names to the <code>java</code> protocol.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-44832-mitigation">Mitigation</h4> +<div class="paragraph"> +<p>Upgrade to <code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java 7), or <code>2.17.1</code> (for Java 8 and later).</p> +</div> +<div class="paragraph"> +<p>In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than <code>java</code>.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-44832-references">References</h4> +<div class="ulist"> +<ul> +<li> +<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832">CVE-2021-44832</a></p> +</li> +</ul> +</div> +</div> +</div> +<div class="sect2"> +<h3 id="CVE-2021-45105"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105">CVE-2021-45105</a></h3> +<table class="tableblock frame-all grid-all stretch"> +<colgroup> +<col style="width: 16.6666%;"> +<col style="width: 83.3334%;"> +</colgroup> +<tbody> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">Infinite recursion in lookup evaluation</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">5.9 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-alpha1, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td> +</tr> +</tbody> +</table> +<div class="sect3"> +<h4 id="CVE-2021-45105-description">Description</h4> +<div class="paragraph"> +<p>Log4j versions <code>2.0-alpha1</code> through <code>2.16.0</code> (excluding <code>2.3.1</code> and <code>2.12.3</code>), did not protect from uncontrolled recursion that can be implemented using self-referential lookups. +When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a <code>StackOverflowError</code> that will terminate the process. +This is also known as a <em>DoS (Denial-of-Service)</em> attack.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-45105-mitigation">Mitigation</h4> +<div class="paragraph"> +<p>Upgrade to <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p> +</div> +<div class="paragraph"> +<p>Alternatively, this infinite recursion issue can be mitigated in configuration:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>In PatternLayout in the logging configuration, replace Context Lookups like <code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> with Thread Context Map patterns (<code>%X</code>, <code>%mdc</code>, or <code>%MDC</code>).</p> +</li> +<li> +<p>Otherwise, in the configuration, remove references to Context Lookups like <code>${ctx:loginId}</code> or <code>$${ctx:loginId}</code> where they originate +from sources external to the application such as HTTP headers or user input. +Note that this mitigation is insufficient in releases older than <code>2.12.2</code> (for Java 7), and <code>2.16.0</code> (for Java 8 and later) as the issues fixed in those releases will still be present.</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability. +Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-45105-credits">Credits</h4> +<div class="paragraph"> +<p>Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein of Trend Micro Research working with Trend Micro’s Zero Day Initiative, and another anonymous vulnerability researcher.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-45105-references">References</h4> +<div class="ulist"> +<ul> +<li> +<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105">CVE-2021-45105</a></p> +</li> +<li> +<p><a href="https://issues.apache.org/jira/browse/LOG4J2-3230">LOG4J2-3230</a></p> +</li> +</ul> +</div> +</div> +</div> +<div class="sect2"> +<h3 id="CVE-2021-45046"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</a></h3> +<table class="tableblock frame-all grid-all stretch"> +<colgroup> +<col style="width: 16.6666%;"> +<col style="width: 83.3334%;"> +</colgroup> +<tbody> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">Thread Context Lookup is vulnerable to remote code execution in certain configurations</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">9.0 CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td> +</tr> +</tbody> +</table> +<div class="sect3"> +<h4 id="CVE-2021-45046-description">Description</h4> +<div class="paragraph"> +<p>It was found that the fix to address <a href="#CVE-2021-44228">CVE-2021-44228</a> in Log4j <code>2.15.0</code> was incomplete in certain non-default configurations. +When the logging configuration uses a non-default Pattern Layout with a Thread Context Lookup (for example, <code>$${ctx:loginId}</code>), attackers with control over Thread Context Map (MDC) can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments. +Remote code execution has been demonstrated on macOS, Fedora, Arch Linux, and Alpine Linux.</p> +</div> +<div class="paragraph"> +<p>Note that this vulnerability is not limited to just the JNDI lookup. +Any other Lookup could also be included in a Thread Context Map variable and possibly have private details exposed to anyone with access to the logs.</p> +</div> +<div class="paragraph"> +<p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability. +Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-45046-mitigation">Mitigation</h4> +<div class="paragraph"> +<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-45046-credits">Credits</h4> +<div class="paragraph"> +<p>This issue was discovered by Kai Mindermann of iC Consult and separately by 4ra1n.</p> +</div> +<div class="paragraph"> +<p>Additional vulnerability details discovered independently by Ash Fox of Google, Alvaro Muñoz and Tony Torralba from GitHub, Anthony Weems of Praetorian, and RyotaK (@ryotkak).</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-45046-references">References</h4> +<div class="ulist"> +<ul> +<li> +<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</a></p> +</li> +<li> +<p><a href="https://issues.apache.org/jira/browse/LOG4J2-3221">LOG4J2-3221</a></p> +</li> +</ul> +</div> +</div> +</div> +<div class="sect2"> +<h3 id="CVE-2021-44228"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228</a></h3> +<table class="tableblock frame-all grid-all stretch"> +<colgroup> +<col style="width: 16.6666%;"> +<col style="width: 83.3334%;"> +</colgroup> +<tbody> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">JNDI lookup can be exploited to execute arbitrary code loaded from an LDAP server</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td> +</tr> +</tbody> +</table> +<div class="sect3"> +<h4 id="CVE-2021-44228-description">Description</h4> +<div class="paragraph"> +<p>In Log4j, the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. +An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers.</p> +</div> +<div class="paragraph"> +<p>Note that only the <code>log4j-core</code> JAR file is impacted by this vulnerability. +Applications using only the <code>log4j-api</code> JAR file without the <code>log4j-core</code> JAR file are not impacted by this vulnerability.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-44228-mitigation">Mitigation</h4> +<div class="sect4"> +<h5 id="CVE-2021-44228-mitigation-log4j1">Log4j 1 mitigation</h5> +<div class="admonitionblock warning"> +<table> +<tr> +<td class="icon"> +<div class="title">Warning</div> +</td> +<td class="content"> +<div class="paragraph"> +<p><a href="http://logging.apache.org/log4j/1.x">Log4j 1</a> has <a href="https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">reached End of Life</a> in 2015, and is no longer supported. +Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed. +Users should <a href="manual/migration.html">upgrade to Log4j 2</a> to obtain security fixes.</p> +</div> +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>Log4j 1 does not have Lookups, so the risk is lower. +Applications using Log4j 1 are only vulnerable to this attack when they use JNDI in their configuration. +A separate CVE (<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-4104">CVE-2021-4104</a>) has been filed for this vulnerability. +To mitigate, audit your logging configuration to ensure it has no <code>JMSAppender</code> configured. +Log4j 1 configurations without <code>JMSAppender</code> are not impacted by this vulnerability.</p> +</div> +</div> +<div class="sect4"> +<h5 id="CVE-2021-44228-mitigation-log4j2">Log4j 2 mitigation</h5> +<div class="paragraph"> +<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 7), or <code>2.17.0</code> (for Java 8 and later).</p> +</div> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-44228-credits">Credits</h4> +<div class="paragraph"> +<p>This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2021-44228-references">References</h4> +<div class="ulist"> +<ul> +<li> +<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228">CVE-2021-44228</a></p> +</li> +<li> +<p><a href="https://issues.apache.org/jira/browse/LOG4J2-3198">LOG4J2-3198</a></p> +</li> +<li> +<p><a href="https://issues.apache.org/jira/browse/LOG4J2-3201">LOG4J2-3201</a></p> +</li> +</ul> +</div> +</div> +</div> +<div class="sect2"> +<h3 id="CVE-2020-9488"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488">CVE-2020-9488</a></h3> +<table class="tableblock frame-all grid-all stretch"> +<colgroup> +<col style="width: 16.6666%;"> +<col style="width: 83.3334%;"> +</colgroup> +<tbody> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">Improper validation of certificate with host mismatch in SMTP appender</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 3.x Score & Vector</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">3.7 LOW (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-beta1, 2.12.3) ∪ [2.13.1, 2.13.2)</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.12.3</code> (Java 7) and <code>2.13.2</code> (Java 8 and later)</p></td> +</tr> +</tbody> +</table> +<div class="sect3"> +<h4 id="CVE-2020-9488-description">Description</h4> +<div class="paragraph"> +<p>Improper validation of certificate with host mismatch in SMTP appender. +This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log +messages sent through that appender.</p> +</div> +<div class="paragraph"> +<p>The reported issue was caused by an error in <code>SslConfiguration</code>. +Any element using <code>SslConfiguration</code> in the Log4j <code>Configuration</code> is also affected by this issue. +This includes <code>HttpAppender</code>, <code>SocketAppender</code>, and <code>SyslogAppender</code>. +Usages of <code>SslConfiguration</code> that are configured via system properties are not affected.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2020-9488-mitigation">Mitigation</h4> +<div class="paragraph"> +<p>Upgrade to <code>2.12.3</code> (Java 7) or <code>2.13.2</code> (Java 8 and later).</p> +</div> +<div class="paragraph"> +<p>Alternatively, users can set the <code>mail.smtp.ssl.checkserveridentity</code> system property to <code>true</code> to enable SMTPS hostname verification for all SMTPS mail sessions.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2020-9488-credits">Credits</h4> +<div class="paragraph"> +<p>This issue was discovered by Peter Stöckli.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2020-9488-references">References</h4> +<div class="ulist"> +<ul> +<li> +<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9488">CVE-2020-9488</a></p> +</li> +<li> +<p><a href="https://issues.apache.org/jira/browse/LOG4J2-2819">LOG4J2-2819</a></p> +</li> +</ul> +</div> +</div> +</div> +<div class="sect2"> +<h3 id="CVE-2017-5645"><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645">CVE-2017-5645</a></h3> +<table class="tableblock frame-all grid-all stretch"> +<colgroup> +<col style="width: 16.6666%;"> +<col style="width: 83.3334%;"> +</colgroup> +<tbody> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Summary</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">TCP/UDP socket servers can be exploited to execute arbitrary code</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 2.0 Score & Vector</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock">7.5 HIGH (AV:N/AC:L/Au:N/C:P/I:P/A:P)</p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Components affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>log4j-core</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions affected</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[2.0-alpha1, 2.8.2)</code></p></td> +</tr> +<tr> +<th class="tableblock halign-left valign-top"><p class="tableblock">Versions fixed</p></th> +<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2.8.2</code> (Java 7)</p></td> +</tr> +</tbody> +</table> +<div class="sect3"> +<h4 id="CVE-2017-5645-description">Description</h4> +<div class="paragraph"> +<p>When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2017-5645-mitigation">Mitigation</h4> +<div class="paragraph"> +<p>Java 7 and above users should migrate to version <code>2.8.2</code> or avoid using the socket server classes. +Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport <a href="https://github.com/apache/logging-log4j2/commit/5dcc192">the security fix commit</a> from <code>2.8.2</code>.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2017-5645-credits">Credits</h4> +<div class="paragraph"> +<p>This issue was discovered by Marcio Almeida de Macedo of Red Team at Telstra.</p> +</div> +</div> +<div class="sect3"> +<h4 id="CVE-2017-5645-references">References</h4> +<div class="ulist"> +<ul> +<li> +<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5645">CVE-2017-5645</a></p> +</li> +<li> +<p><a href="https://issues.apache.org/jira/browse/LOG4J2-1863">LOG4J2-1863</a></p> +</li> +<li> +<p><a href="https://github.com/apache/logging-log4j2/commit/5dcc192">Security fix commit</a></p> +</li> +</ul> +</div> +</div> +</div> +</div> +</div> + </div> + +<div class="footer"> + <p> + Copyright © 2017-2023 <a href="https://www.apache.org" target="external">The Apache Software Foundation</a>. + Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0" + target="external">Apache Software License, Version 2.0</a> Please read our <a href="https://privacy.apache.org/policies/privacy-policy-public.html">privacy policy</a>. + </p><p> + Apache, Apache chainsaw, Apache log4cxx, Apache log4j, Apache log4net, Apache log4php and the Apache + feather logo are trademarks of The Apache Software Foundation. Oracle and Java are registered trademarks + of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. + </p><p> + Site powered by <a href="https://getbootstrap.com/" target="external">Bootstrap</a> + and <a href="https://jquery.com/" target="external">jQuery</a>. + </p> +</div> + +</div> +</body> +</html> diff --git a/content/support.html b/content/support.html new file mode 100644 index 00000000..2009f73f --- /dev/null +++ b/content/support.html @@ -0,0 +1,426 @@ +<!DOCTYPE html> +<html lang="en"> +<head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <title>Apache Logging Services</title> + + <link href="/css/asciidoctor-default.css" rel="stylesheet" type="text/css" /> + <link href="/css/bootstrap.min.css" rel="stylesheet" type="text/css" /> + <link href="/css/site.css" rel="stylesheet" type="text/css" /> + + <script src="/js/jquery.min.js"></script> + <script src="/js/bootstrap.min.js"></script> + <script src="/js/site.js"></script> + <link rel="alternate" type="application/rss+xml" title="ASF Loggin Services" href="/feed.xml"> +</head> + + +<body> +<div class="navbar"> + <div class="navbar-inner"> + <div class="container"> + <a class="brand" href="/">Apache Logging Services™</a> + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">About<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/guidelines.html">Guidelines</a></li> + <li><a href="/charter.html">Charter</a></li> + <li><a href="/team-list.html">Team</a></li> + <li><a href="/support.html">Support & Help</a></li> + <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> + <li><a href="/what-is-logging.html">What is logging?</a> + </li> + </ul> + </li> + </ul> + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Projects<b class="caret"></b></a> + <ul class="dropdown-menu"> + + + <li><a href="/log4j/2.x/index.html">Apache Log4j™</a></li> + + + + <li><a href="/log4j/kotlin/index.html">Apache Log4j™ for Kotlin</a></li> + + + + <li><a href="/log4j/scala/index.html">Apache Log4j™ for Scala</a></li> + + + + <li><a href="/log4cxx">Apache log4cxx</a></li> + + + + <li><a href="/chainsaw/2.x/index.html">Apache chainsaw</a></li> + + + + <li><a href="/log4j-audit/latest/index.html">Apache Log4j Audit</a></li> + + + + <li><a href="/log4net">Apache Log4Net</a></li> + + + + + + + + + </ul> + </li> + </ul> + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Dormant<b class="caret"></b></a> + <ul class="dropdown-menu"> + + + + + + + + + + + + + + + + + <li><a href="/log4j/1.2/index.html">Apache Log4j 1.x</a></li> + + + + <li><a href="/log4j/extras/index.html">Apache log4j 1 extras</a></li> + + + + <li><a href="/log4php">Apache log4php</a></li> + + + </ul> + </li> + </ul> + <ul class="nav"> + <li><a href="/blog">Blog</a></li> + </ul> + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + + <ul class="nav pull-right"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a target="_blank" href="https://www.apache.org/">Home</a></li> + <li><a target="_blank" href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a target="_blank" href="https://www.apache.org/licenses/">License</a></li> + <li><a target="_blank" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> + <li><a target="_blank" href="https://www.apache.org/events/current-event.html">Current Events</a></li> + <li><a target="_blank" href="https://www.apache.org/security/">Security</a></li> + <li><a target="_blank" href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy</a></li> + </ul> + </li> + </ul> + </div> + </div> +</div> + + +<div class="container"> + <div class="content"> + <div id="preamble"> +<div class="sectionbody"> +<div class="paragraph"> +<p>The Apache Software Foundation does not employ individuals to develop and support any of its projects. +The individuals who contribute to Apache projects do it either as part of specific tasks assigned to them by their employer, on their own initiative to benefit their employer, or on their own free time.</p> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="discussions">User support</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>If you have questions like:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p><em>"How do I configure Log4j with the file appender?"</em></p> +</li> +<li> +<p><em>"My layout is not working as expected; what should I do?"</em></p> +</li> +<li> +<p><em>"How can I migrate from Log4j 1 with this custom configuration?"</em></p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>We urge you to first check our <a href="faq.html">FAQ</a> to see if it has already been answered. +If not, you can ask your questions on one of our official user support channels:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p><a href="https://github.com/apache/logging-log4j2/discussions">GitHub Discussions</a> (<strong>experimental</strong>)</p> +</li> +<li> +<p><code>log4j-u...@logging.apache.org</code> mailing list (public | <a href="mailto:log4j-user-subscr...@logging.apache.org">subscribe</a> | <a href="mailto:log4j-user-unsubscr...@logging.apache.org">unsubscribe</a> | <a href="mailto:log4j-u...@logging.apache.org">post</a> | <a href="https://lists.apache.org/list.html?log4j-user@logging.apache.org">archive</a>)</p> +</li> +</ul> +</div> +<div class="admonitionblock warning"> +<table> +<tr> +<td class="icon"> +<div class="title">Warning</div> +</td> +<td class="content"> +<div class="paragraph"> +<p><strong>You are expected to be subscribed</strong> to a mailing list to receive replies to your posted questions! +If you are not subscribed, when you post an email, it will be subject to moderation (hence, will be distributed with a delay) and the only way you would be able to follow the conversation is to use the mailing list archive.</p> +</div> +</td> +</tr> +</table> +</div> +<div class="admonitionblock warning"> +<table> +<tr> +<td class="icon"> +<div class="title">Warning</div> +</td> +<td class="content"> +<div class="paragraph"> +<p>Messages sent to a public mailing list will be seen by many people and also re-published by 3rd party websites. +It is usually not possible to remove them. +Please <strong>don’t send mails containing confidential information</strong> to public mailing lists. +For more information, please see the <a href="https://privacy.apache.org/policies/privacy-policy-public.html">privacy policy</a></p> +</div> +</td> +</tr> +</table> +</div> +<div class="ulist"> +<ul> +<li> +<p><a href="http://stackoverflow.com">Stack Overflow</a> (use <a href="http://stackoverflow.com/questions/tagged/log4j">log4j</a> or <a href="http://stackoverflow.com/questions/tagged/log4j2">log4j2</a> tags)</p> +</li> +</ul> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="maintainer-discussions">Maintainer discussions</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>Apache Log4j project officially uses mailing lists for discussions related to maintenance and development.</p> +</div> +<div class="admonitionblock warning"> +<table> +<tr> +<td class="icon"> +<div class="title">Warning</div> +</td> +<td class="content"> +<div class="paragraph"> +<p><strong>You are expected to be subscribed</strong> to a mailing list to receive replies to your posted questions! +If you are not subscribed, when you post an email, it will be subject to moderation (hence, will be distributed with a delay) and the only way you would be able to follow the conversation is to use the mailing list archive.</p> +</div> +</td> +</tr> +</table> +</div> +<div class="paragraph"> +<p>If you have questions or feedback like:</p> +</div> +<div class="ulist"> +<ul> +<li> +<p>A class should have public visibility instead of package-scoped</p> +</li> +<li> +<p>A plugin is missing configuration options</p> +</li> +<li> +<p>You found a bug</p> +</li> +</ul> +</div> +<div class="paragraph"> +<p>then please contact us using the following mailing lists:</p> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1"><code>d...@logging.apache.org</code> (public | <a href="mailto:dev-subscr...@logging.apache.org">subscribe</a> | <a href="mailto:dev-unsubscr...@logging.apache.org">unsubscribe</a> | <a href="mailto:d...@logging.apache.org">post</a> | <a href="https://lists.apache.org/list.html?dev@logging.apache.org">archive</a>)</dt> +<dd> +<p>For <em>development</em> discussions +(Please prefix subjects with <code>[log4j]</code> when starting a new thread!)</p> +</dd> +</dl> +</div> +<div class="admonitionblock warning"> +<table> +<tr> +<td class="icon"> +<div class="title">Warning</div> +</td> +<td class="content"> +<div class="paragraph"> +<p>Messages sent to a public mailing list will be seen by many people and also re-published by 3rd party websites. +It is usually not possible to remove them. +Please <strong>don’t send mails containing confidential information</strong> to public mailing lists. +For more information, please see the <a href="https://privacy.apache.org/policies/privacy-policy-public.html">privacy policy</a></p> +</div> +</td> +</tr> +</table> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1"><code>secur...@logging.apache.org</code> (private | <a href="mailto:secur...@logging.apache.org">post</a>)</dt> +<dd> +<p>For reporting unlisted <strong>security vulnerabilities</strong> or other unexpected behaviour that has a security impact</p> +</dd> +<dt class="hdlist1"><code>priv...@logging.apache.org</code> (private | <a href="mailto:priv...@logging.apache.org">post</a>)</dt> +<dd> +<p>For the discussion of confidential topics within the Apache Logging Services project management committee.</p> +</dd> +</dl> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="issues">Issues</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>The Log4j project uses <a href="https://github.com/apache/logging-log4j2/issues">GitHub Issues</a> as its issue tracking system. +The old issue tracking system, <a href="https://issues.apache.org/jira/projects/LOG4J2">JIRA</a>, is still accessible, though only recommended for issues that were already created there.</p> +</div> +<div class="paragraph"> +<p>Issues get resolved in one of the following ways:</p> +</div> +<div class="olist arabic"> +<ol class="arabic"> +<li> +<p>The reporter or another interested party provides <a href="https://github.com/apache/logging-log4j2/pulls">a pull request</a> tagging the issue in its title</p> +</li> +<li> +<p>A committer is interested in the issue and decides to work on it</p> +</li> +<li> +<p>The reporter or another interested party sponsors one or more of <a href="#sponsorship">the committers listed below</a> to encourage them to work on the issue</p> +</li> +</ol> +</div> +<div class="paragraph"> +<p>Created issues are subject to the following policy:</p> +</div> +<div class="dlist"> +<dl> +<dt class="hdlist1">Quality</dt> +<dd> +<p>Issues posted of insufficient quality will be removed</p> +</dd> +<dt class="hdlist1">No protracted discussions</dt> +<dd> +<p>Issues likely to result in protracted discussion must be posted to the mailing lists</p> +</dd> +<dt class="hdlist1">No Questions</dt> +<dd> +<p>Do not post questions as issues! +These will be removed, and you will be asked to post questions to the mailing lists instead.</p> +</dd> +</dl> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="sponsorship">Sponsorship</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>Sponsorship can be used simply as a way to say thank you for the work that has been done or as a way to encourage specific issues to be worked on. +In either case, while the Apache Logging Services project thanks you for your support, we cannot be responsible for any promises and/or contributions made by an individual committer, as individual commits must be reviewed and accepted by the project team.</p> +</div> +<div class="sect2"> +<h3 id="committers-accepting-github-sponsorship">Committers accepting GitHub Sponsorship</h3> +<div class="ulist"> +<ul> +<li> +<p><a href="https://github.com/carterkozak">Carter Kozak</a></p> +</li> +<li> +<p><a href="https://github.com/garydgregory">Gary Gregory</a></p> +</li> +<li> +<p><a href="https://github.com/jvz">Matt Sicker</a></p> +</li> +<li> +<p><a href="https://github.com/ppkarwasz">Piotr P. Karwasz</a></p> +</li> +<li> +<p><a href="https://github.com/rgoers">Ralph Goers</a></p> +</li> +<li> +<p><a href="https://github.com/vy">Volkan Yazıcı</a></p> +</li> +</ul> +</div> +</div> +</div> +</div> +<div class="sect1"> +<h2 id="commercial">Third-party commercial support</h2> +<div class="sectionbody"> +<div class="paragraph"> +<p>While neither the Apache Software Foundation nor the Apache Logging Services project provide any commercial support for the Log4j products, individual committers may collaborate with services that provide such support.</p> +</div> +<div class="paragraph"> +<p>The following aims to be a list of all commercial support services involving one or more Log4j committers.</p> +</div> +<div class="sect2"> +<h3 id="tidelift">Tidelift</h3> +<div class="paragraph"> +<p>Some Log4j maintainers receive funding from Tidelift for their maintenance efforts. +See <a href="https://tidelift.com">the Tidelift website</a> for details.</p> +</div> +</div> +</div> +</div> + </div> + +<div class="footer"> + <p> + Copyright © 2017-2023 <a href="https://www.apache.org" target="external">The Apache Software Foundation</a>. + Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0" + target="external">Apache Software License, Version 2.0</a> Please read our <a href="https://privacy.apache.org/policies/privacy-policy-public.html">privacy policy</a>. + </p><p> + Apache, Apache chainsaw, Apache log4cxx, Apache log4j, Apache log4net, Apache log4php and the Apache + feather logo are trademarks of The Apache Software Foundation. Oracle and Java are registered trademarks + of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. + </p><p> + Site powered by <a href="https://getbootstrap.com/" target="external">Bootstrap</a> + and <a href="https://jquery.com/" target="external">jQuery</a>. + </p> +</div> + +</div> +</body> +</html> diff --git a/content/team-list.html b/content/team-list.html index c7c41872..f6a256a9 100644 --- a/content/team-list.html +++ b/content/team-list.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a> diff --git a/content/what-is-logging.html b/content/what-is-logging.html index b95095b0..a38b4ee9 100644 --- a/content/what-is-logging.html +++ b/content/what-is-logging.html @@ -27,7 +27,7 @@ <li><a href="/guidelines.html">Guidelines</a></li> <li><a href="/charter.html">Charter</a></li> <li><a href="/team-list.html">Team</a></li> - <li><a href="/mailing-lists.html">Mailing lists</a></li> + <li><a href="/support.html">Support & Help</a></li> <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/LOGGING/Home">Wiki</a> <li><a href="/what-is-logging.html">What is logging?</a> </li> @@ -113,7 +113,17 @@ <ul class="nav"> <li><a href="/blog">Blog</a></li> </ul> - + <ul class="nav"> + <li class="dropdown"> + <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security<b class="caret"></b></a> + <ul class="dropdown-menu"> + <li><a href="/security/">Handling Security</a></li> + <li><a href="/security/known-vulnerabilities.html">Known Vulnerabilities</a></li> + <li><a href="/activity-monitor/">Activity Monitor</a></li> + </ul> + </li> + </ul> + <ul class="nav pull-right"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache<b class="caret"></b></a>