Hello Due to recently discovered Log4j1 CVEs:
- CVE-2021-4104 - JMSAppender + JNDI - CVE-2022-23302 - JMSSink.main() + JNDI - CVE-2022-23305 - JDBCAppender SQLInjection - CVE-2022-23307 - Chainsaw component And due to emerging Reload4j project <https://reload4j.qos.ch/>[1] which is a fork of original ASF's Log4j project (forked by Ceki Gülcü - author of Log4j1 and Logback) we've decided to release updated versions of Pax Logging project itself. There are two completely new minor releases - 1.12.x and 2.1.x and they have two goals: - be binary/API compatible with (respectively) 1.11.x and 2.0.x branches - ship only pax-logging-logback and pax-logging-log4j2 "backends" (no more log4j1 implementation) On the other hand, branches 1.10.x, 1.11.x and 2.0.x do not remove any features and they have only one goal: - switch from log4j:log4j to ch.qos.reload4j:reload4j dependencies All 5 releases in general preserve one feature: - they still contain log4j1 API - pax-logging-api still exports org.apache.log4j{.config,.helpers,.or,.pattern,.spi,.xml} packages but as always the classes like org.apache.log4j.Logger only delegate to underlying Pax Logging machinery (thus delegating to selected backend - like Logback or Log4j2) So all 5 releases are natural replacements of previous versions - even if your other bundles require Log4j1 API packages. Simply in 2.1.0 and 1.12.0 you won't find Log4j1's JMSAppender, JDBCAppender or actually any other Log4j1 appender or JNDI/LDAP code. All the release notes can be found using the following links: - 2.1.0: https://github.com/ops4j/org.ops4j.pax.logging/milestone/73?closed=1 - 2.0.15: https://github.com/ops4j/org.ops4j.pax.logging/milestone/80?closed=1 - 1.12.0: https://github.com/ops4j/org.ops4j.pax.logging/milestone/83?closed=1 - 1.11.14: https://github.com/ops4j/org.ops4j.pax.logging/milestone/82?closed=1 - 1.10.10: https://github.com/ops4j/org.ops4j.pax.logging/milestone/86?closed=1 kind regards Grzegorz Grzybek === [1]: https://reload4j.qos.ch/
