[ https://issues.apache.org/jira/browse/OFBIZ-12475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17466342#comment-17466342 ]
ASF subversion and git services commented on OFBIZ-12475: --------------------------------------------------------- Commit a7449655678460ecd84ce6c04f7cc90bb55d1ea5 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=a744965 ] Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475) See complete explanation at https://issues.apache.org/jira/browse/OFBIZ-12475 > [SECURITY] CVE-2021-44832: Apache Log4j2 > ---------------------------------------- > > Key: OFBIZ-12475 > URL: https://issues.apache.org/jira/browse/OFBIZ-12475 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS > Affects Versions: 18.12.04 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Blocker > Fix For: 18.12.05 > > > The Apache Log4j 2 team is pleased to announce the Log4j 2.17.1 release! > Apache Log4j is a well known framework for logging application > behavior. Log4j 2 is an upgrade to Log4j that provides significant > improvements over its predecessor, Log4j 1.x, and provides many other > modern features such as support for Markers, lambda expressions for > lazy logging, property substitution using Lookups, multiple patterns > on a PatternLayout and asynchronous Loggers. Another notable Log4j 2 > feature is the ability to be "garbage-free" (avoid allocating > temporary objects) while logging. In addition, Log4j 2 will not lose > events while reconfiguring. > The artifacts may be downloaded from > https://logging.apache.org/log4j/2.x/download.html. > This release contains the changes noted below: > Address CVE-2021-44832. > Other minor fixes. > Due to a break in compatibility in the SLF4J binding, Log4j now ships > with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl > should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl > should be used with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases > are not fully supported. See > https://issues.apache.org/jira/browse/LOG4J2-2975 and > https://jira.qos.ch/browse/SLF4J-511. > The Log4j 2.17.1 API, as well as many core components, maintains > binary compatibility with previous releases. > GA Release 2.17.1 > Changes in this version include: > Fixed Bugs > LOG4J2-3293: JdbcAppender now uses JndiManager to access JNDI > resources. JNDI is only enabled when system property > log4j2.enableJndiJdbc is set to true. > LOG4J2-3290: Remove unused method. > LOG4J2-3292: ExtendedLoggerWrapper.logMessage no longer double-logs > when location is requested. > LOG4J2-3289: log4j-to-slf4j no longer re-interpolates formatted > message contents. > LOG4J2-3204: Correct SpringLookup package name in Interpolator. Thanks > to Francis-FY. > LOG4J2-3284: log4j-to-slf4j takes the provided MessageFactory into > account Thanks to Michael Vorburger. > LOG4J2-3264: Fix MapLookup to lookup MapMessage before DefaultMap > Thanks to Yanming Zhou. > LOG4J2-3274: Buffered I/O checked had inverted logic in > RollingFileAppenderBuidler. Thanks to Faisal Khan Thayub Khan. > : Fix NPE when input is null in StrSubstitutor.replace(String, Properties). > LOG4J2-3270: Lookups with no prefix only read values from the > configuration properties as expected. > LOG4J2-3256: Reduce ignored package scope of KafkaAppender. Thanks to > Lee Dongjin. > ________________________________ > Apache Log4j 2.17.1 requires a minimum of Java 8 to build and run. > Log4j 2.12.1 is the last release to support Java 7. Java 7 is no > longer supported by the Log4j team. > For complete information on Apache Log4j 2, including instructions on > how to submit bug reports, patches, or suggestions for improvement, > see the Apache Apache Log4j 2 website: > https://logging.apache.org/log4j/2.x/ > -- > Matt Sicker > PMC Member, Logging Services, Apache Software Foundation -- This message was sent by Atlassian Jira (v8.20.1#820001)