I very well recognize your heroic effort on tackling this issue and I am very thankful for that. I vote -1, because I want message (not configuration!) lookups to be removed.
Message lookups create a vast attack surface. Anything they offer can simply be implemented by the user. On Sun, Dec 12, 2021 at 4:48 AM Matt Sicker <boa...@gmail.com> wrote: > This is a vote to release Log4j 2.15.1, the next version of the Log4j 2 > project. > > Please download, test, and cast your votes on the log4j developers list. > [] +1, release the artifacts > [] -1, don't release because... > > The vote will remain open for 72 hours (or more if required). All votes > are welcome and we encourage everyone to test the release, but only Logging > PMC votes are “officially” counted. As always, at least 3 +1 votes and more > positive than negative votes are required. > > Changes in this release include: > > Fixed Bugs > > * LOG4J2-3208: Disable JNDI by default. Require log4j2.enableJndi to be > set to true to allow JNDI. > > Tag: > a) for a new copy do "git clone > https://github.com/apache/logging-log4j2.git < > https://github.com/apache/logging-log4j2.git>" and then "git checkout > tags/log4j-2.15.1-rc1” or just "git clone -b log4j-2.15.1-rc1 > https://github.com/apache/logging-log4j2.git < > https://github.com/apache/logging-log4j2.git>" > b) for an existing working copy to “git pull” and then “git checkout > tags/log4j-2.15.1-rc1” > > Web Site: https://logging.staged.apache.org/log4j/2.x/index.html < > https://logging.staged.apache.org/log4j/2.x/index.html>. > > Maven Artifacts: > https://repository.apache.org/content/repositories/orgapachelogging-1067/ > > Distribution archives: > https://dist.apache.org/repos/dist/dev/logging/log4j/ < > https://dist.apache.org/repos/dist/dev/logging/log4j/> > > You may download all the Maven artifacts by executing: > wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate > https://repository.apache.org/content/repositories/orgapachelogging-1067/org/apache/logging/log4j/
