Those were already disabled in 2.15.0. Matt Sicker
> On Dec 12, 2021, at 13:41, Volkan Yazıcı <vol...@yazi.ci> wrote: > > I very well recognize your heroic effort on tackling this issue and I am > very thankful for that. > I vote -1, because I want message (not configuration!) lookups to be > removed. > > Message lookups create a vast attack surface. Anything they offer can > simply be implemented by the user. > >> On Sun, Dec 12, 2021 at 4:48 AM Matt Sicker <boa...@gmail.com> wrote: >> >> This is a vote to release Log4j 2.15.1, the next version of the Log4j 2 >> project. >> >> Please download, test, and cast your votes on the log4j developers list. >> [] +1, release the artifacts >> [] -1, don't release because... >> >> The vote will remain open for 72 hours (or more if required). All votes >> are welcome and we encourage everyone to test the release, but only Logging >> PMC votes are “officially” counted. As always, at least 3 +1 votes and more >> positive than negative votes are required. >> >> Changes in this release include: >> >> Fixed Bugs >> >> * LOG4J2-3208: Disable JNDI by default. Require log4j2.enableJndi to be >> set to true to allow JNDI. >> >> Tag: >> a) for a new copy do "git clone >> https://github.com/apache/logging-log4j2.git < >> https://github.com/apache/logging-log4j2.git>" and then "git checkout >> tags/log4j-2.15.1-rc1” or just "git clone -b log4j-2.15.1-rc1 >> https://github.com/apache/logging-log4j2.git < >> https://github.com/apache/logging-log4j2.git>" >> b) for an existing working copy to “git pull” and then “git checkout >> tags/log4j-2.15.1-rc1” >> >> Web Site: https://logging.staged.apache.org/log4j/2.x/index.html < >> https://logging.staged.apache.org/log4j/2.x/index.html>. >> >> Maven Artifacts: >> https://repository.apache.org/content/repositories/orgapachelogging-1067/ >> >> Distribution archives: >> https://dist.apache.org/repos/dist/dev/logging/log4j/ < >> https://dist.apache.org/repos/dist/dev/logging/log4j/> >> >> You may download all the Maven artifacts by executing: >> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate >> https://repository.apache.org/content/repositories/orgapachelogging-1067/org/apache/logging/log4j/