Author: skitching Date: Sun Nov 19 01:17:43 2006 New Revision: 476777 URL: http://svn.apache.org/viewvc?view=rev&rev=476777 Log: General updates
Modified: jakarta/commons/proper/logging/trunk/RELEASE-NOTES.txt Modified: jakarta/commons/proper/logging/trunk/RELEASE-NOTES.txt URL: http://svn.apache.org/viewvc/jakarta/commons/proper/logging/trunk/RELEASE-NOTES.txt?view=diff&rev=476777&r1=476776&r2=476777 ============================================================================== --- jakarta/commons/proper/logging/trunk/RELEASE-NOTES.txt (original) +++ jakarta/commons/proper/logging/trunk/RELEASE-NOTES.txt Sun Nov 19 01:17:43 2006 @@ -58,7 +58,9 @@ obtaining the context classloader. In version 1.1 it did. In this release, it has reverted to not using an AccessController; any user-level code that needs to obtain a context classloader should itself create an AccessController, and call the -LogFactory.getContextClassLoader method via the doPrivileged method. +LogFactory.getContextClassLoader method via the doPrivileged method. This fixes a +potential security issue, where untrusted code could get access to the context +classloader if a signed JCL library was in the classpath. == Dependencies == @@ -85,12 +87,13 @@ libraries, just the internally implemented SimpleLog and NoOpLog classes plus Jdk14Logger (which is currently required by Apache Tomcat). -This jar file may be used as a declared dependency for projects that care about -"transitive dependencies" and can't handle jar files such as commons-logging-nn.jar -which have "optional" dependencies depending on how they are used. In addition, -this jar file can be useful for "rebundlers" of JCL who recompile the source-code -but who may not be able to recompile against the full set of supported adapters; -such projects should be able to at least recreate an equivalent of this jar file. +The file commons-logging-api-nn.jar may be used as a declared dependency for +projects that care about "transitive dependencies" and can't handle jar files +such as commons-logging-nn.jar which have "optional" dependencies depending on +how they are used. In addition, this jar file can be useful for "rebundlers" of +JCL who recompile the source-code but who may not be able to recompile against +the full set of supported adapters; such projects should be able to at least +recreate an equivalent of this jar file. == General Notes == @@ -108,18 +111,36 @@ this merely affects how those are presented in the source files. See http://www.apache.org/legal/src-headers.html +This release can be built/tested with maven 2.0.4. Maven 1.x and Ant continue +to be supported. + == Bugs Fixed == * LOGGING-106: JCL 1.1 was completely unusable under a security policy that prevented access to system properties. Even signing/authorising the JCL library was not sufficient. This has been fixed by (a) catching SecurityException and falling back to a sensible default, and (b) using AccessController so JCL can be granted - privileges without needing the caller to have them too. + privileges without needing the caller to have them too. * LOGGING-107: JCL 1.1 auto-discovery failed under a security policy that prevented calls to ClassLoader.getParent. Signing/authorising the JCL library was not sufficient as an AccessController was not used. This has been fixed by catching SecurityException and using an AccessController. + +* MEV-392 (http://jira.codehaus.org/browse/MEV-392) + As JCL didn't provide a Maven2 pom.xml file, one was helpfully created by people + not involved with the commons-logging project and published to the standard maven + repositories. Unfortunately this pom declared normal dependencies on all the logging + libraries that are supported by the core JCL distribution, meaning they all get pulled + into a project that declares a dependency on JCL1.1. This release now provides an + "official" pom.xml which declares these dependencies as optional so they aren't + automatically included in projects that depend on JCL 1.1.1. + +* (no bug#): Fix thread-safety bug (SimpleDateFormat.format is not thread-safe). + Thanks to Martin Wilson of bright-interactive for the bug report. + +* (no bug#): Security issue regarding access to context classloader (see incompatibilities + section above). DEPRECATIONS: ============ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]