[
https://issues.apache.org/jira/browse/OFBIZ-12475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17469911#comment-17469911
]
ASF subversion and git services commented on OFBIZ-12475:
---------------------------------------------------------
Commit 00896e73bce0ab3cb9541c37a4405b23d32911c0 in ofbiz-framework's branch
refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=00896e7 ]
Fixed: Announce 17.12.09 EOL (OFBIZ-12479)
Includes:
[SECURITY] CVE-2021-44228: Apache Log4j2 (OFBIZ-12449)
[SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)
[SECURITY] Update TIka because of Apache Log4j2 vulnerability (OFBIZ-12474)
[SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
> [SECURITY] CVE-2021-44832: Apache Log4j2
> ----------------------------------------
>
> Key: OFBIZ-12475
> URL: https://issues.apache.org/jira/browse/OFBIZ-12475
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: 18.12.04
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Blocker
> Fix For: 18.12.05
>
>
> The Apache Log4j 2 team is pleased to announce the Log4j 2.17.1 release!
> Apache Log4j is a well known framework for logging application
> behavior. Log4j 2 is an upgrade to Log4j that provides significant
> improvements over its predecessor, Log4j 1.x, and provides many other
> modern features such as support for Markers, lambda expressions for
> lazy logging, property substitution using Lookups, multiple patterns
> on a PatternLayout and asynchronous Loggers. Another notable Log4j 2
> feature is the ability to be "garbage-free" (avoid allocating
> temporary objects) while logging. In addition, Log4j 2 will not lose
> events while reconfiguring.
> The artifacts may be downloaded from
> https://logging.apache.org/log4j/2.x/download.html.
> This release contains the changes noted below:
> Address CVE-2021-44832.
> Other minor fixes.
> Due to a break in compatibility in the SLF4J binding, Log4j now ships
> with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl
> should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl
> should be used with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases
> are not fully supported. See
> https://issues.apache.org/jira/browse/LOG4J2-2975 and
> https://jira.qos.ch/browse/SLF4J-511.
> The Log4j 2.17.1 API, as well as many core components, maintains
> binary compatibility with previous releases.
> GA Release 2.17.1
> Changes in this version include:
> Fixed Bugs
> LOG4J2-3293: JdbcAppender now uses JndiManager to access JNDI
> resources. JNDI is only enabled when system property
> log4j2.enableJndiJdbc is set to true.
> LOG4J2-3290: Remove unused method.
> LOG4J2-3292: ExtendedLoggerWrapper.logMessage no longer double-logs
> when location is requested.
> LOG4J2-3289: log4j-to-slf4j no longer re-interpolates formatted
> message contents.
> LOG4J2-3204: Correct SpringLookup package name in Interpolator. Thanks
> to Francis-FY.
> LOG4J2-3284: log4j-to-slf4j takes the provided MessageFactory into
> account Thanks to Michael Vorburger.
> LOG4J2-3264: Fix MapLookup to lookup MapMessage before DefaultMap
> Thanks to Yanming Zhou.
> LOG4J2-3274: Buffered I/O checked had inverted logic in
> RollingFileAppenderBuidler. Thanks to Faisal Khan Thayub Khan.
> : Fix NPE when input is null in StrSubstitutor.replace(String, Properties).
> LOG4J2-3270: Lookups with no prefix only read values from the
> configuration properties as expected.
> LOG4J2-3256: Reduce ignored package scope of KafkaAppender. Thanks to
> Lee Dongjin.
> ________________________________
> Apache Log4j 2.17.1 requires a minimum of Java 8 to build and run.
> Log4j 2.12.1 is the last release to support Java 7. Java 7 is no
> longer supported by the Log4j team.
> For complete information on Apache Log4j 2, including instructions on
> how to submit bug reports, patches, or suggestions for improvement,
> see the Apache Apache Log4j 2 website:
> https://logging.apache.org/log4j/2.x/
> --
> Matt Sicker
> PMC Member, Logging Services, Apache Software Foundation
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
