Re: [VOTE] Release Log4j Kotlin API 1.2.0-rc1

[Gary Gregory]

Hi all,

mvn apache-rat:check fails

JQuery is included in the checkout of the tag. Is that a problem?

Gary

On Tue, Dec 14, 2021 at 12:38 AM Matt Sicker  wrote:

> This is a vote to release Log4j Kotlin API version 1.2.0, the next version
> of the Kotlin facade for Log4j2.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artifacts
> [] -1, don't release because...
>
> The vote will remain open for 24 hours (or more if required). All votes
> are welcome and we encourage everyone to test the release, but only Logging
> PMC votes are “officially” counted. As always, at least 3 +1 votesand more
> positive than negative votes are required.
>
> Changes in this release include:
>
> * LOG4J2-3218: Update Log4j dependency to 2.16.0.
>
> This is primarily provided to help upgrade transitive dependencies on
> log4j-core which was recently updated to fix CVE-2021-44228.
>
> Tag:
> a)  for a new copy do "git clone
> https://github.com/apache/logging-log4j-kotlin.git <
> https://github.com/apache/logging-log4j-kotlin.git>” and then "git
> checkout tags/log4j-api-kotlin-1.2.0-rc1”  or just "git clone -b
> log4j-api-kotlin-1.2.0-rc1
> https://github.com/apache/logging-log4j-kotlin.git <
> https://github.com/apache/logging-log4j-kotlin.git>"
> b) for an existing working copy to “git pull” and then “git checkout
> tags/log4j-api-kotlin-1.2.0-rc1”
>
> Web Site: https://logging.staged.apache.org/log4j/kotlin/index.html
>
> Maven Artifacts:
> https://repository.apache.org/content/repositories/orgapachelogging-1069/
>
> Distribution archives:
> https://dist.apache.org/repos/dist/dev/logging/log4j/kotlin/
>
> You may download all the Maven artifacts by executing:
> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
> https://repository.apache.org/content/repositories/orgapachelogging-1069/org/apache/logging/log4j/
>
>  --
> Matt Sicker
>
>

Re: [VOTE] Release Log4j Kotlin API 1.2.0-rc1

[Gary Gregory]

Should JQuery's copyright be in the NOTICE file?

On Tue, Dec 14, 2021 at 5:45 AM Gary Gregory  wrote:

> Hi all,
>
> mvn apache-rat:check fails
>
> JQuery is included in the checkout of the tag. Is that a problem?
>
> Gary
>
> On Tue, Dec 14, 2021 at 12:38 AM Matt Sicker  wrote:
>
>> This is a vote to release Log4j Kotlin API version 1.2.0, the next
>> version of the Kotlin facade for Log4j2.
>>
>> Please download, test, and cast your votes on the log4j developers list.
>> [] +1, release the artifacts
>> [] -1, don't release because...
>>
>> The vote will remain open for 24 hours (or more if required). All votes
>> are welcome and we encourage everyone to test the release, but only Logging
>> PMC votes are “officially” counted. As always, at least 3 +1 votesand more
>> positive than negative votes are required.
>>
>> Changes in this release include:
>>
>> * LOG4J2-3218: Update Log4j dependency to 2.16.0.
>>
>> This is primarily provided to help upgrade transitive dependencies on
>> log4j-core which was recently updated to fix CVE-2021-44228.
>>
>> Tag:
>> a)  for a new copy do "git clone
>> https://github.com/apache/logging-log4j-kotlin.git <
>> https://github.com/apache/logging-log4j-kotlin.git>” and then "git
>> checkout tags/log4j-api-kotlin-1.2.0-rc1”  or just "git clone -b
>> log4j-api-kotlin-1.2.0-rc1
>> https://github.com/apache/logging-log4j-kotlin.git <
>> https://github.com/apache/logging-log4j-kotlin.git>"
>> b) for an existing working copy to “git pull” and then “git checkout
>> tags/log4j-api-kotlin-1.2.0-rc1”
>>
>> Web Site: https://logging.staged.apache.org/log4j/kotlin/index.html
>>
>> Maven Artifacts:
>> https://repository.apache.org/content/repositories/orgapachelogging-1069/
>>
>> Distribution archives:
>> https://dist.apache.org/repos/dist/dev/logging/log4j/kotlin/
>>
>> You may download all the Maven artifacts by executing:
>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
>> https://repository.apache.org/content/repositories/orgapachelogging-1069/org/apache/logging/log4j/
>>
>>  --
>> Matt Sicker
>>
>>

Re: [VOTE] Release Log4j 2.12.2-rc1

[Gary Gregory]

After checking out the tag (git status says 'HEAD detached at
log4j-2.12.2-rc1') and running 'mvn clean install' with Java 8 and Maven
3.8.4, I get:
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
0.351 s - in org.apache.logging.log4j.MarkerMixInJsonTest
[INFO]
[INFO] Results:
[INFO]
[ERROR] Failures:
[ERROR]   YamlLayoutTest.testAdditionalFields:318 ---
thread: "MyThreadName"
level: "DEBUG"
loggerName: "a.B"
marker:
  name: "Marker1"
  parents:
  - name: "ParentMarker1"
parents:
- name: "GrandMotherMarker"
- name: "GrandFatherMarker"
  - name: "ParentMarker2"
message: "Msg"
thrown:
  commonElementCount: 0
  localizedMessage: "testIOEx"
  message: "testIOEx"
  name: "java.io.IOException"
  cause:
commonElementCount: 38
localizedMessage: "testNPEx"
message: "testNPEx"
name: "java.lang.NullPointerException"
  suppressed:
  - commonElementCount: 0
localizedMessage: "I am suppressed exception 1"
message: "I am suppressed exception 1"
name: "java.lang.IndexOutOfBoundsException"
  - commonElementCount: 0
localizedMessage: "I am suppressed exception 2"
message: "I am suppressed exception 2"
name: "java.lang.IndexOutOfBoundsException"
contextStack:
- "stack_msg1"
- "stack_msg2"
endOfBatch: false
loggerFqcn: "f.q.c.n"
instant:
  epochSecond: 0
  nanoOfSecond: 100
threadId: 1
threadPriority: 5
KEY1: "VALUE1"
KEY2: "OpenJDK Runtime Environment (build
1.8.0_312-bre_2021_10_20_23_15-b00) from\
  \ Homebrew"

[INFO]
[ERROR] Tests run: 2063, Failures: 1, Errors: 0, Skipped: 21

Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
Maven home: /usr/local/Cellar/maven/3.8.4/libexec
Java version: 1.8.0_312, vendor: Homebrew, runtime:
/usr/local/Cellar/openjdk@8/1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "12.0.1", arch: "x86_64", family: "mac"

I can reproduce this from Eclipse by running the one test class.

The test uses a Java lookup here:
https://github.com/apache/logging-log4j2/blob/ad361d2e517e765f69db464d9407ac2dd80bc93e/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/YamlLayoutTest.java#L312

And expects it to be present here:
https://github.com/apache/logging-log4j2/blob/ad361d2e517e765f69db464d9407ac2dd80bc93e/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/YamlLayoutTest.java#L318

(1) Should this test pass or fail? I thought we disabled lookups _except_
in configuration files.
(2) If the test should pass, is _my_ failure due to some line length or
line wrapping issue?

TY and congrats to all of us for spending so much time on this,
Gary


On Tue, Dec 14, 2021 at 12:58 AM Ralph Goers 
wrote:

> This is a vote to release Log4j 2.12.2, a security release for Java 7
> users.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artifacts
> [] -1, don't release because...
>
> The vote will remain open for as short amount as time as required to vet
> the release. All votes are welcome and we encourage everyone to test the
> release, but only Logging PMC votes are “officially” counted. As always, at
> least 3 +1 votes and more positive than negative votes are required.
>
> Changes in this version include:
>
> Fixed Bugs
>
> • LOG4J-3220: Disable JNDI by default, remove JNDI Lookup, remove
> message lookups. When enabled JNDI only supports the java protocol.
>
> Tag:
> a)  for a new copy do "git clone
> https://github.com/apache/logging-log4j2.git"; and then "git checkout
> tags/log4j-2.12.2-rc1”  or just "git clone -b log4j-2.12.2-rc1
> https://github.com/apache/logging-log4j2.git";
> b) for an existing working copy to “git pull” and then “git checkout
> tags/log4j-2.12.2-rc1”
>
> Web Site:  No web site was generated for this release. The 2.16.0 web site
> will be updated appropriately.
>
> Maven Artifacts:
> https://repository.apache.org/content/repositories/orgapachelogging-1070
>
> Distribution archives:
> https://dist.apache.org/repos/dist/dev/logging/log4j/
>
> You may download all the Maven artifacts by executing:
> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
> https://repository.apache.org/content/repositories/orgapachelogging-1070/org/apache/logging/log4j/

Re: [VOTE] Release Log4j 2.12.2-rc1

[Volkan Yazıcı]

Sorry, I can't get `log4j-2.12.2-rc1` tag compiling.

Downloading:
https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-remote-resources-plugin/1.5/maven-remote-resources-plugin-1.5.pom
[INFO]

[INFO] Reactor Summary:
[INFO]
[INFO] Apache Log4j 2 . SUCCESS [
 0.681 s]
[INFO] Apache Log4j API Java 9 support  SUCCESS [
 2.384 s]
...
[INFO] Apache Log4j Samples: Configuration  SUCCESS [
 0.989 s]
[INFO] Apache Log4j Samples: LoggerProperties . SUCCESS [
 0.982 s]
[INFO] Apache Log4j BOM ... FAILURE [
 0.223 s]
[INFO] Apache Log4j JDBC DBCP 2 ... SKIPPED
[INFO] Apache Log4j JPA ... SKIPPED
[INFO] Apache Log4j CouchDB ... SKIPPED
...
[ERROR] Plugin org.apache.maven.plugins:maven-remote-resources-plugin:1.5
or one of its dependencies could not be resolved: Failed to read artifact
descriptor for
org.apache.maven.plugins:maven-remote-resources-plugin:jar:1.5: Could not
transfer artifact
org.apache.maven.plugins:maven-remote-resources-plugin:pom:1.5 from/to
central (https://repo.maven.apache.org/maven2): Received fatal alert:
protocol_version -> [Help 1]

I think I will be offline from now on to get some sleep.
Good luck!

On Tue, Dec 14, 2021 at 12:06 PM Gary Gregory 
wrote:

> After checking out the tag (git status says 'HEAD detached at
> log4j-2.12.2-rc1') and running 'mvn clean install' with Java 8 and Maven
> 3.8.4, I get:
> [INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
> 0.351 s - in org.apache.logging.log4j.MarkerMixInJsonTest
> [INFO]
> [INFO] Results:
> [INFO]
> [ERROR] Failures:
> [ERROR]   YamlLayoutTest.testAdditionalFields:318 ---
> thread: "MyThreadName"
> level: "DEBUG"
> loggerName: "a.B"
> marker:
>   name: "Marker1"
>   parents:
>   - name: "ParentMarker1"
> parents:
> - name: "GrandMotherMarker"
> - name: "GrandFatherMarker"
>   - name: "ParentMarker2"
> message: "Msg"
> thrown:
>   commonElementCount: 0
>   localizedMessage: "testIOEx"
>   message: "testIOEx"
>   name: "java.io.IOException"
>   cause:
> commonElementCount: 38
> localizedMessage: "testNPEx"
> message: "testNPEx"
> name: "java.lang.NullPointerException"
>   suppressed:
>   - commonElementCount: 0
> localizedMessage: "I am suppressed exception 1"
> message: "I am suppressed exception 1"
> name: "java.lang.IndexOutOfBoundsException"
>   - commonElementCount: 0
> localizedMessage: "I am suppressed exception 2"
> message: "I am suppressed exception 2"
> name: "java.lang.IndexOutOfBoundsException"
> contextStack:
> - "stack_msg1"
> - "stack_msg2"
> endOfBatch: false
> loggerFqcn: "f.q.c.n"
> instant:
>   epochSecond: 0
>   nanoOfSecond: 100
> threadId: 1
> threadPriority: 5
> KEY1: "VALUE1"
> KEY2: "OpenJDK Runtime Environment (build
> 1.8.0_312-bre_2021_10_20_23_15-b00) from\
>   \ Homebrew"
>
> [INFO]
> [ERROR] Tests run: 2063, Failures: 1, Errors: 0, Skipped: 21
>
> Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
> Maven home: /usr/local/Cellar/maven/3.8.4/libexec
> Java version: 1.8.0_312, vendor: Homebrew, runtime:
> /usr/local/Cellar/openjdk@8
> /1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "12.0.1", arch: "x86_64", family: "mac"
>
> I can reproduce this from Eclipse by running the one test class.
>
> The test uses a Java lookup here:
>
> https://github.com/apache/logging-log4j2/blob/ad361d2e517e765f69db464d9407ac2dd80bc93e/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/YamlLayoutTest.java#L312
>
> And expects it to be present here:
>
> https://github.com/apache/logging-log4j2/blob/ad361d2e517e765f69db464d9407ac2dd80bc93e/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/YamlLayoutTest.java#L318
>
> (1) Should this test pass or fail? I thought we disabled lookups _except_
> in configuration files.
> (2) If the test should pass, is _my_ failure due to some line length or
> line wrapping issue?
>
> TY and congrats to all of us for spending so much time on this,
> Gary
>
>
> On Tue, Dec 14, 2021 at 12:58 AM Ralph Goers 
> wrote:
>
> > This is a vote to release Log4j 2.12.2, a security release for Java 7
> > users.
> >
> > Please download, test, and cast your votes on the log4j developers list.
> > [] +1, release the artifacts
> > [] -1, don't release because...
> >
> > The vote will remain open for as short amount as time as required to vet
> > the release. All votes are welcome and we encourage everyone to test the
> > release, but only Logging PMC votes are “officially” counted. As always,
> at
> > least 3 +1 votes and more positive than negative votes are required.
> >
> > Changes in this version include:
> >
> > Fixed Bugs
> >
> > • LO

log4net

[Joe Kelly]

I was wondering if the log4net service has a similar vulnerability as log4j. 
There isn't any information on the log4net security page and the current 
version of 2.0.13 doesn't match the log4j version of 2.16.0.

Joe Kelly
Information Security Analyst
P: 405.763.5425
F: 405.602.6337
www.okcu.org

joe.ke...@okcu.org 
Oklahoma's Credit Union
Happy to Help(r)







NOTICE:
This e-mail is intended solely for the use of the individual to whom it is 
addressed and may contain information that is privileged, confidential or 
otherwise exempt from disclosure. If the reader of this e-mail is not the 
intended recipient or the employee or agent responsible for delivering the 
message to the intended recipient, you are hereby notified that any 
dissemination, distribution, or copying of this communication is strictly 
prohibited. If you have received this communication in error, please 
immediately notify us by replying to the original message at the listed email 
address.

Happy to Help
Oklahoma's Credit Union
http://www.okcu.org

Re: log4net

[Davyd McColl]

Hi Joe

No, it shouldn't, particularly because we're very different projects, on 
very different platforms, and I understand that the log4j vuln is largely 
linked to a  _dependency_ of log4j. The closest we've had was an xml vuln 
that was patched some time ago.


That being said, I'm currently the only maintainer and I definitely have 
written the least code in log4net, so if you or anyone else would like to 
audit for vulnerabilities (and, even better, PR mitigations), I'm all for it.


-d


On December 14, 2021 16:03:39 Joe Kelly  wrote:

I was wondering if the log4net service has a similar vulnerability as 
log4j. There isn't any information on the log4net security page and the 
current version of 2.0.13 doesn't match the log4j version of 2.16.0.


Joe Kelly
Information Security Analyst
P: 405.763.5425
F: 405.602.6337
www.okcu.org

joe.ke...@okcu.org 
Oklahoma's Credit Union
Happy to Help(r)







NOTICE:
This e-mail is intended solely for the use of the individual to whom it is 
addressed and may contain information that is privileged, confidential or 
otherwise exempt from disclosure. If the reader of this e-mail is not the 
intended recipient or the employee or agent responsible for delivering the 
message to the intended recipient, you are hereby notified that any 
dissemination, distribution, or copying of this communication is strictly 
prohibited. If you have received this communication in error, please 
immediately notify us by replying to the original message at the listed 
email address.


Happy to Help
Oklahoma's Credit Union
http://www.okcu.org

Remove JMSAppender, JMSSink, SocketSerevr, SocketNode, ..., chainsaw, and ship it as 1.2.18

[Vladimir Sitnikov]

Hi,

I hope log4j finds you well :)
I know log4j 1.x has reached its end of life long ago,
however, I wonder if there's a possibility to ship 1.2.18 with
"network-related" classes removed.

The list of classes I suggest removing:
 * JMSAppender: it looks like it might cause "remote code execution" issues
if an attacker can modify the logging configuration.
Frankly speaking, I would just remove the appender and what for what
happens.
* JMSSink, SocketServer, SocketNode, chainsaw: if somebody needs them, they
can use 1.2.17

A slightly better option would be moving the extra features to an extra
jar, however, it would require more effort, and I am not sure it is worth
doing.

My motivation is as follows:
* Everybody has questions on "what to do with log4j 1.x"
* There are applications that can't replace log4j 1 with 2 (e.g. they use
programmatic configuration)
* The maintenance overheads for releasing 1.2.18 do not seem to be severe.
At the end of the day, I suggest removing several classes and releasing it
* Dependabot would be able to bump log4j:log4j from 1.2.17 to 1.2.18

That is why I think releasing 1.2.18 as a "security hardened" version would
be good for everybody.

I think I can create a PR for the change, however, I can't really release
it without logging PMC.

WDYT?

See https://github.com/apache/logging-log4j2/pull/608#issuecomment-993430513

Vladimir

Re: Remove JMSAppender, JMSSink, SocketSerevr, SocketNode, ..., chainsaw, and ship it as 1.2.18

[Ralph Goers]

Virtually all of the contributors to the Log4j 1.x project left a few years 
before it was declared 
EOL. That is the primary reason it was retired.  Although the current set of 
committers have 
access to the code, none of us have ever built it. My understanding is it 
requires an extremely 
old JDK.

If you have people who know how to build it they would be welcome to do so. The 
PMC would 
still have to vote on it and actually release it. 

Ralph

> On Dec 14, 2021, at 7:09 AM, Vladimir Sitnikov  
> wrote:
> 
> Hi,
> 
> I hope log4j finds you well :)
> I know log4j 1.x has reached its end of life long ago,
> however, I wonder if there's a possibility to ship 1.2.18 with
> "network-related" classes removed.
> 
> The list of classes I suggest removing:
> * JMSAppender: it looks like it might cause "remote code execution" issues
> if an attacker can modify the logging configuration.
> Frankly speaking, I would just remove the appender and what for what
> happens.
> * JMSSink, SocketServer, SocketNode, chainsaw: if somebody needs them, they
> can use 1.2.17
> 
> A slightly better option would be moving the extra features to an extra
> jar, however, it would require more effort, and I am not sure it is worth
> doing.
> 
> My motivation is as follows:
> * Everybody has questions on "what to do with log4j 1.x"
> * There are applications that can't replace log4j 1 with 2 (e.g. they use
> programmatic configuration)
> * The maintenance overheads for releasing 1.2.18 do not seem to be severe.
> At the end of the day, I suggest removing several classes and releasing it
> * Dependabot would be able to bump log4j:log4j from 1.2.17 to 1.2.18
> 
> That is why I think releasing 1.2.18 as a "security hardened" version would
> be good for everybody.
> 
> I think I can create a PR for the change, however, I can't really release
> it without logging PMC.
> 
> WDYT?
> 
> See https://github.com/apache/logging-log4j2/pull/608#issuecomment-993430513
> 
> Vladimir

Re: Remove JMSAppender, JMSSink, SocketSerevr, SocketNode, ..., chainsaw, and ship it as 1.2.18

[Remko Popma]

Hi Vladimir,

Thank you for your interest!

You mentioned that "The maintenance overheads for releasing 1.2.18 do not
seem to be severe".
Have you actually tried building the project to see if this is true?

Remko

On Tue, Dec 14, 2021 at 11:13 PM Vladimir Sitnikov <
sitnikov.vladi...@gmail.com> wrote:

> Hi,
>
> I hope log4j finds you well :)
> I know log4j 1.x has reached its end of life long ago,
> however, I wonder if there's a possibility to ship 1.2.18 with
> "network-related" classes removed.
>
> The list of classes I suggest removing:
>  * JMSAppender: it looks like it might cause "remote code execution" issues
> if an attacker can modify the logging configuration.
> Frankly speaking, I would just remove the appender and what for what
> happens.
> * JMSSink, SocketServer, SocketNode, chainsaw: if somebody needs them, they
> can use 1.2.17
>
> A slightly better option would be moving the extra features to an extra
> jar, however, it would require more effort, and I am not sure it is worth
> doing.
>
> My motivation is as follows:
> * Everybody has questions on "what to do with log4j 1.x"
> * There are applications that can't replace log4j 1 with 2 (e.g. they use
> programmatic configuration)
> * The maintenance overheads for releasing 1.2.18 do not seem to be severe.
> At the end of the day, I suggest removing several classes and releasing it
> * Dependabot would be able to bump log4j:log4j from 1.2.17 to 1.2.18
>
> That is why I think releasing 1.2.18 as a "security hardened" version would
> be good for everybody.
>
> I think I can create a PR for the change, however, I can't really release
> it without logging PMC.
>
> WDYT?
>
> See
> https://github.com/apache/logging-log4j2/pull/608#issuecomment-993430513
>
> Vladimir
>

Re: Remove JMSAppender, JMSSink, SocketSerevr, SocketNode, ..., chainsaw, and ship it as 1.2.18

[Vladimir Sitnikov]

>My understanding is it requires an extremely
>old JDK.
>Have you actually tried building the project to see if this is true?

I was able to build the project with Maven3 and Java 1.8 by commenting out
tools.jar, "site-related", "antrun-related" stuff in pom.xml.
It did produce logj4.jar that worked with Weblogic APP.



There's an alternative option:
* cut the files from the source
* take log4j-1.2.17.jar
* remove the offending classes
* re-save the file as log4j-1.2.18.jar
* manually upload it to oss.sonatype.org via UI :)

It might be easier than trying to find the proper tools for the compilation.

Vladimir

Re: Remove JMSAppender, JMSSink, SocketSerevr, SocketNode, ..., chainsaw, and ship it as 1.2.18

[Ralph Goers]

To be honest I hadn’t looked but just noticed 
https://logging.apache.org/log4j/1.2/building.html. I’m not sure 
if I can get ahold of the windows dll but perhaps I can give it a try when I 
have time to breath.

Ralph

> On Dec 14, 2021, at 7:43 AM, Vladimir Sitnikov  
> wrote:
> 
>> My understanding is it requires an extremely
>> old JDK.
>> Have you actually tried building the project to see if this is true?
> 
> I was able to build the project with Maven3 and Java 1.8 by commenting out
> tools.jar, "site-related", "antrun-related" stuff in pom.xml.
> It did produce logj4.jar that worked with Weblogic APP.
> 
> 
> 
> There's an alternative option:
> * cut the files from the source
> * take log4j-1.2.17.jar
> * remove the offending classes
> * re-save the file as log4j-1.2.18.jar
> * manually upload it to oss.sonatype.org via UI :)
> 
> It might be easier than trying to find the proper tools for the compilation.
> 
> Vladimir

Re: Remove JMSAppender, JMSSink, SocketSerevr, SocketNode, ..., chainsaw, and ship it as 1.2.18

[Remko Popma]

On Tue, Dec 14, 2021 at 11:44 PM Vladimir Sitnikov <
sitnikov.vladi...@gmail.com> wrote:

> >My understanding is it requires an extremely
> >old JDK.
> >Have you actually tried building the project to see if this is true?
>
> I was able to build the project with Maven3 and Java 1.8 by commenting out
> tools.jar, "site-related", "antrun-related" stuff in pom.xml.
> It did produce logj4.jar that worked with Weblogic APP.
>
> 
>
> There's an alternative option:
> * cut the files from the source
> * take log4j-1.2.17.jar
> * remove the offending classes
> * re-save the file as log4j-1.2.18.jar
> * manually upload it to oss.sonatype.org via UI :)
>
> It might be easier than trying to find the proper tools for the
> compilation.
>

About the alternative solution:
How would we then be able to ever release a log4j-1.2.19 jar if we find
another security vulnerability? I don't like this idea.

If we do a new Log4j 1.x release, we should do it from source.
I believe that 1.2.17 targets Java 1.4(!), but it may be the case that the
oldest JDK available from Oracle is Java 5.
We can consider setting the compiler option to create Java 1.4 byte code,
since we are only removing classes. (Vladimir, is this correct?)

Also, I think we can consider not supporting any appenders that require
native code.
I believe that last one was one of the major stumbling blocks, I could be
wrong.


>
> Vladimir
>

RE: Re: log4net

[David Schwartz]

Hi Joe,

Adding to what Davyd wrote.  I just searched the codebase and the JndiLookup 
class (where the log4j vulnerability was found) does not exist in log4net.  In 
fact, there is no code related to jndi at all as far as I can see.

David

-Original Message-
From: Davyd McColl 
Sent: Tuesday, December 14, 2021 4:10 PM
To: dev@logging.apache.org
Subject: [EXTERNAL] Re: log4net

Hi Joe

No, it shouldn't, particularly because we're very different projects, on very 
different platforms, and I understand that the log4j vuln is largely linked to 
a  _dependency_ of log4j. The closest we've had was an xml vuln that was 
patched some time ago.

That being said, I'm currently the only maintainer and I definitely have 
written the least code in log4net, so if you or anyone else would like to audit 
for vulnerabilities (and, even better, PR mitigations), I'm all for it.

-d


On December 14, 2021 16:03:39 Joe Kelly  wrote:

> I was wondering if the log4net service has a similar vulnerability as
> log4j. There isn't any information on the log4net security page and
> the current version of 2.0.13 doesn't match the log4j version of 2.16.0.
>
> Joe Kelly
> Information Security Analyst
> P: 405.763.5425
> F: 405.602.6337
> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55
> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
>  55e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouYBYxYhmg$ >
>
> joe.ke...@okcu.org  Oklahoma's Credit Union
> Happy to Help(r)
>
>
>
>
>
> 
>
> NOTICE:
> This e-mail is intended solely for the use of the individual to whom
> it is addressed and may contain information that is privileged,
> confidential or otherwise exempt from disclosure. If the reader of
> this e-mail is not the intended recipient or the employee or agent
> responsible for delivering the message to the intended recipient, you
> are hereby notified that any dissemination, distribution, or copying
> of this communication is strictly prohibited. If you have received
> this communication in error, please immediately notify us by replying
> to the original message at the listed email address.
>
> Happy to Help
> Oklahoma's Credit Union
> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55
> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$

INTERNAL - NI CONFIDENTIAL

Re: Remove JMSAppender, JMSSink, SocketSerevr, SocketNode, ..., chainsaw, and ship it as 1.2.18

[Vladimir Sitnikov]

>How would we then be able to ever release a log4j-1.2.19 jar if we find
>another security vulnerability?

I hope 1.2.19 won't be needed ;)

>I believe that 1.2.17 targets Java 1.4(!)

Java 1.8 can target 1.4 bytecode.

>Also, I think we can consider not supporting any appenders that require
>native code

I'm not sure what to do with native code.
It might be ok to drop the native appenders as well, as the overlap of
those who use it and
who can't upgrade and who needs a fix at the same time is probably close to
zero.

Vladimir

Re: Remove JMSAppender, JMSSink, SocketSerevr, SocketNode, ..., chainsaw, and ship it as 1.2.18

[Ralph Goers]

OK. We will look into this but you have to understand the priority of this is 
lower for us than getting all the Log4j 2 issues resolved. We are still swamped.

Ralph

> On Dec 14, 2021, at 8:03 AM, Vladimir Sitnikov  
> wrote:
> 
>> How would we then be able to ever release a log4j-1.2.19 jar if we find
>> another security vulnerability?
> 
> I hope 1.2.19 won't be needed ;)
> 
>> I believe that 1.2.17 targets Java 1.4(!)
> 
> Java 1.8 can target 1.4 bytecode.
> 
>> Also, I think we can consider not supporting any appenders that require
>> native code
> 
> I'm not sure what to do with native code.
> It might be ok to drop the native appenders as well, as the overlap of
> those who use it and
> who can't upgrade and who needs a fix at the same time is probably close to
> zero.
> 
> Vladimir

Re: Remove JMSAppender, JMSSink, SocketSerevr, SocketNode, ..., chainsaw, and ship it as 1.2.18

[Gary Gregory]

On Tue, Dec 14, 2021 at 9:54 AM Remko Popma  wrote:

> On Tue, Dec 14, 2021 at 11:44 PM Vladimir Sitnikov <
> sitnikov.vladi...@gmail.com> wrote:
>
> > >My understanding is it requires an extremely
> > >old JDK.
> > >Have you actually tried building the project to see if this is true?
> >
> > I was able to build the project with Maven3 and Java 1.8 by commenting
> out
> > tools.jar, "site-related", "antrun-related" stuff in pom.xml.
> > It did produce logj4.jar that worked with Weblogic APP.
> >
> > 
> >
> > There's an alternative option:
> > * cut the files from the source
> > * take log4j-1.2.17.jar
> > * remove the offending classes
> > * re-save the file as log4j-1.2.18.jar
> > * manually upload it to oss.sonatype.org via UI :)
>

I am sorry but this is not acceptable. Strictly speaking, Apache releases
source code, all binaries are just a convenience for our users, and, must
be built from source.

Gary


> >
> > It might be easier than trying to find the proper tools for the
> > compilation.
> >
>
> About the alternative solution:
> How would we then be able to ever release a log4j-1.2.19 jar if we find
> another security vulnerability? I don't like this idea.
>
> If we do a new Log4j 1.x release, we should do it from source.
> I believe that 1.2.17 targets Java 1.4(!), but it may be the case that the
> oldest JDK available from Oracle is Java 5.
> We can consider setting the compiler option to create Java 1.4 byte code,
> since we are only removing classes. (Vladimir, is this correct?)
>
> Also, I think we can consider not supporting any appenders that require
> native code.
> I believe that last one was one of the major stumbling blocks, I could be
> wrong.
>
>
> >
> > Vladimir
> >
>

Re: [VOTE] Release Log4j 2.12.2-rc1

[Gary Gregory]

This problem was a red herring for me, my ${java:runtime} string was
wrapping due to length and the test did not account for that. I updated the
branch and I am building locally to see if I can go through a whole build...

Gary

On Tue, Dec 14, 2021 at 6:06 AM Gary Gregory  wrote:

> After checking out the tag (git status says 'HEAD detached at
> log4j-2.12.2-rc1') and running 'mvn clean install' with Java 8 and Maven
> 3.8.4, I get:
> [INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
> 0.351 s - in org.apache.logging.log4j.MarkerMixInJsonTest
> [INFO]
> [INFO] Results:
> [INFO]
> [ERROR] Failures:
> [ERROR]   YamlLayoutTest.testAdditionalFields:318 ---
> thread: "MyThreadName"
> level: "DEBUG"
> loggerName: "a.B"
> marker:
>   name: "Marker1"
>   parents:
>   - name: "ParentMarker1"
> parents:
> - name: "GrandMotherMarker"
> - name: "GrandFatherMarker"
>   - name: "ParentMarker2"
> message: "Msg"
> thrown:
>   commonElementCount: 0
>   localizedMessage: "testIOEx"
>   message: "testIOEx"
>   name: "java.io.IOException"
>   cause:
> commonElementCount: 38
> localizedMessage: "testNPEx"
> message: "testNPEx"
> name: "java.lang.NullPointerException"
>   suppressed:
>   - commonElementCount: 0
> localizedMessage: "I am suppressed exception 1"
> message: "I am suppressed exception 1"
> name: "java.lang.IndexOutOfBoundsException"
>   - commonElementCount: 0
> localizedMessage: "I am suppressed exception 2"
> message: "I am suppressed exception 2"
> name: "java.lang.IndexOutOfBoundsException"
> contextStack:
> - "stack_msg1"
> - "stack_msg2"
> endOfBatch: false
> loggerFqcn: "f.q.c.n"
> instant:
>   epochSecond: 0
>   nanoOfSecond: 100
> threadId: 1
> threadPriority: 5
> KEY1: "VALUE1"
> KEY2: "OpenJDK Runtime Environment (build
> 1.8.0_312-bre_2021_10_20_23_15-b00) from\
>   \ Homebrew"
>
> [INFO]
> [ERROR] Tests run: 2063, Failures: 1, Errors: 0, Skipped: 21
>
> Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
> Maven home: /usr/local/Cellar/maven/3.8.4/libexec
> Java version: 1.8.0_312, vendor: Homebrew, runtime:
> /usr/local/Cellar/openjdk@8
> /1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "12.0.1", arch: "x86_64", family: "mac"
>
> I can reproduce this from Eclipse by running the one test class.
>
> The test uses a Java lookup here:
> https://github.com/apache/logging-log4j2/blob/ad361d2e517e765f69db464d9407ac2dd80bc93e/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/YamlLayoutTest.java#L312
>
> And expects it to be present here:
> https://github.com/apache/logging-log4j2/blob/ad361d2e517e765f69db464d9407ac2dd80bc93e/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/YamlLayoutTest.java#L318
>
> (1) Should this test pass or fail? I thought we disabled lookups _except_
> in configuration files.
> (2) If the test should pass, is _my_ failure due to some line length or
> line wrapping issue?
>
> TY and congrats to all of us for spending so much time on this,
> Gary
>
>
> On Tue, Dec 14, 2021 at 12:58 AM Ralph Goers 
> wrote:
>
>> This is a vote to release Log4j 2.12.2, a security release for Java 7
>> users.
>>
>> Please download, test, and cast your votes on the log4j developers list.
>> [] +1, release the artifacts
>> [] -1, don't release because...
>>
>> The vote will remain open for as short amount as time as required to vet
>> the release. All votes are welcome and we encourage everyone to test the
>> release, but only Logging PMC votes are “officially” counted. As always, at
>> least 3 +1 votes and more positive than negative votes are required.
>>
>> Changes in this version include:
>>
>> Fixed Bugs
>>
>> • LOG4J-3220: Disable JNDI by default, remove JNDI Lookup, remove
>> message lookups. When enabled JNDI only supports the java protocol.
>>
>> Tag:
>> a)  for a new copy do "git clone
>> https://github.com/apache/logging-log4j2.git"; and then "git checkout
>> tags/log4j-2.12.2-rc1”  or just "git clone -b log4j-2.12.2-rc1
>> https://github.com/apache/logging-log4j2.git";
>> b) for an existing working copy to “git pull” and then “git checkout
>> tags/log4j-2.12.2-rc1”
>>
>> Web Site:  No web site was generated for this release. The 2.16.0 web
>> site will be updated appropriately.
>>
>> Maven Artifacts:
>> https://repository.apache.org/content/repositories/orgapachelogging-1070
>>
>> Distribution archives:
>> https://dist.apache.org/repos/dist/dev/logging/log4j/
>>
>> You may download all the Maven artifacts by executing:
>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
>> https://repository.apache.org/content/repositories/orgapachelogging-1070/org/apache/logging/log4j/
>
>

Re: [VOTE] Release Log4j 2.12.2-rc1

[Ralph Goers]

Great. But I still need to back port the security fix.

Ralph

> On Dec 14, 2021, at 8:36 AM, Gary Gregory  wrote:
> 
> This problem was a red herring for me, my ${java:runtime} string was
> wrapping due to length and the test did not account for that. I updated the
> branch and I am building locally to see if I can go through a whole build...
> 
> Gary
> 
> On Tue, Dec 14, 2021 at 6:06 AM Gary Gregory  wrote:
> 
>> After checking out the tag (git status says 'HEAD detached at
>> log4j-2.12.2-rc1') and running 'mvn clean install' with Java 8 and Maven
>> 3.8.4, I get:
>> [INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
>> 0.351 s - in org.apache.logging.log4j.MarkerMixInJsonTest
>> [INFO]
>> [INFO] Results:
>> [INFO]
>> [ERROR] Failures:
>> [ERROR]   YamlLayoutTest.testAdditionalFields:318 ---
>> thread: "MyThreadName"
>> level: "DEBUG"
>> loggerName: "a.B"
>> marker:
>>  name: "Marker1"
>>  parents:
>>  - name: "ParentMarker1"
>>parents:
>>- name: "GrandMotherMarker"
>>- name: "GrandFatherMarker"
>>  - name: "ParentMarker2"
>> message: "Msg"
>> thrown:
>>  commonElementCount: 0
>>  localizedMessage: "testIOEx"
>>  message: "testIOEx"
>>  name: "java.io.IOException"
>>  cause:
>>commonElementCount: 38
>>localizedMessage: "testNPEx"
>>message: "testNPEx"
>>name: "java.lang.NullPointerException"
>>  suppressed:
>>  - commonElementCount: 0
>>localizedMessage: "I am suppressed exception 1"
>>message: "I am suppressed exception 1"
>>name: "java.lang.IndexOutOfBoundsException"
>>  - commonElementCount: 0
>>localizedMessage: "I am suppressed exception 2"
>>message: "I am suppressed exception 2"
>>name: "java.lang.IndexOutOfBoundsException"
>> contextStack:
>> - "stack_msg1"
>> - "stack_msg2"
>> endOfBatch: false
>> loggerFqcn: "f.q.c.n"
>> instant:
>>  epochSecond: 0
>>  nanoOfSecond: 100
>> threadId: 1
>> threadPriority: 5
>> KEY1: "VALUE1"
>> KEY2: "OpenJDK Runtime Environment (build
>> 1.8.0_312-bre_2021_10_20_23_15-b00) from\
>>  \ Homebrew"
>> 
>> [INFO]
>> [ERROR] Tests run: 2063, Failures: 1, Errors: 0, Skipped: 21
>> 
>> Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
>> Maven home: /usr/local/Cellar/maven/3.8.4/libexec
>> Java version: 1.8.0_312, vendor: Homebrew, runtime:
>> /usr/local/Cellar/openjdk@8
>> /1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre
>> Default locale: en_US, platform encoding: UTF-8
>> OS name: "mac os x", version: "12.0.1", arch: "x86_64", family: "mac"
>> 
>> I can reproduce this from Eclipse by running the one test class.
>> 
>> The test uses a Java lookup here:
>> https://github.com/apache/logging-log4j2/blob/ad361d2e517e765f69db464d9407ac2dd80bc93e/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/YamlLayoutTest.java#L312
>> 
>> And expects it to be present here:
>> https://github.com/apache/logging-log4j2/blob/ad361d2e517e765f69db464d9407ac2dd80bc93e/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/YamlLayoutTest.java#L318
>> 
>> (1) Should this test pass or fail? I thought we disabled lookups _except_
>> in configuration files.
>> (2) If the test should pass, is _my_ failure due to some line length or
>> line wrapping issue?
>> 
>> TY and congrats to all of us for spending so much time on this,
>> Gary
>> 
>> 
>> On Tue, Dec 14, 2021 at 12:58 AM Ralph Goers 
>> wrote:
>> 
>>> This is a vote to release Log4j 2.12.2, a security release for Java 7
>>> users.
>>> 
>>> Please download, test, and cast your votes on the log4j developers list.
>>> [] +1, release the artifacts
>>> [] -1, don't release because...
>>> 
>>> The vote will remain open for as short amount as time as required to vet
>>> the release. All votes are welcome and we encourage everyone to test the
>>> release, but only Logging PMC votes are “officially” counted. As always, at
>>> least 3 +1 votes and more positive than negative votes are required.
>>> 
>>> Changes in this version include:
>>> 
>>> Fixed Bugs
>>> 
>>>• LOG4J-3220: Disable JNDI by default, remove JNDI Lookup, remove
>>> message lookups. When enabled JNDI only supports the java protocol.
>>> 
>>> Tag:
>>> a)  for a new copy do "git clone
>>> https://github.com/apache/logging-log4j2.git"; and then "git checkout
>>> tags/log4j-2.12.2-rc1”  or just "git clone -b log4j-2.12.2-rc1
>>> https://github.com/apache/logging-log4j2.git";
>>> b) for an existing working copy to “git pull” and then “git checkout
>>> tags/log4j-2.12.2-rc1”
>>> 
>>> Web Site:  No web site was generated for this release. The 2.16.0 web
>>> site will be updated appropriately.
>>> 
>>> Maven Artifacts:
>>> https://repository.apache.org/content/repositories/orgapachelogging-1070
>>> 
>>> Distribution archives:
>>> https://dist.apache.org/repos/dist/dev/logging/log4j/
>>> 
>>> You may download all the Maven artifacts by executing:
>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
>>> https://repository.apache.org/content/repositories/orgapache

Re: [VOTE] Release Log4j 2.12.2-rc1

[Gary Gregory]

On Tue, Dec 14, 2021 at 10:42 AM Ralph Goers 
wrote:

> Great. But I still need to back port the security fix.
>

Sure, I just want it to build here as a sanity check (my sanity that is), I
know yours is good :-)

Gary


>
> Ralph
>
> > On Dec 14, 2021, at 8:36 AM, Gary Gregory 
> wrote:
> >
> > This problem was a red herring for me, my ${java:runtime} string was
> > wrapping due to length and the test did not account for that. I updated
> the
> > branch and I am building locally to see if I can go through a whole
> build...
> >
> > Gary
> >
> > On Tue, Dec 14, 2021 at 6:06 AM Gary Gregory 
> wrote:
> >
> >> After checking out the tag (git status says 'HEAD detached at
> >> log4j-2.12.2-rc1') and running 'mvn clean install' with Java 8 and Maven
> >> 3.8.4, I get:
> >> [INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
> >> 0.351 s - in org.apache.logging.log4j.MarkerMixInJsonTest
> >> [INFO]
> >> [INFO] Results:
> >> [INFO]
> >> [ERROR] Failures:
> >> [ERROR]   YamlLayoutTest.testAdditionalFields:318 ---
> >> thread: "MyThreadName"
> >> level: "DEBUG"
> >> loggerName: "a.B"
> >> marker:
> >>  name: "Marker1"
> >>  parents:
> >>  - name: "ParentMarker1"
> >>parents:
> >>- name: "GrandMotherMarker"
> >>- name: "GrandFatherMarker"
> >>  - name: "ParentMarker2"
> >> message: "Msg"
> >> thrown:
> >>  commonElementCount: 0
> >>  localizedMessage: "testIOEx"
> >>  message: "testIOEx"
> >>  name: "java.io.IOException"
> >>  cause:
> >>commonElementCount: 38
> >>localizedMessage: "testNPEx"
> >>message: "testNPEx"
> >>name: "java.lang.NullPointerException"
> >>  suppressed:
> >>  - commonElementCount: 0
> >>localizedMessage: "I am suppressed exception 1"
> >>message: "I am suppressed exception 1"
> >>name: "java.lang.IndexOutOfBoundsException"
> >>  - commonElementCount: 0
> >>localizedMessage: "I am suppressed exception 2"
> >>message: "I am suppressed exception 2"
> >>name: "java.lang.IndexOutOfBoundsException"
> >> contextStack:
> >> - "stack_msg1"
> >> - "stack_msg2"
> >> endOfBatch: false
> >> loggerFqcn: "f.q.c.n"
> >> instant:
> >>  epochSecond: 0
> >>  nanoOfSecond: 100
> >> threadId: 1
> >> threadPriority: 5
> >> KEY1: "VALUE1"
> >> KEY2: "OpenJDK Runtime Environment (build
> >> 1.8.0_312-bre_2021_10_20_23_15-b00) from\
> >>  \ Homebrew"
> >>
> >> [INFO]
> >> [ERROR] Tests run: 2063, Failures: 1, Errors: 0, Skipped: 21
> >>
> >> Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
> >> Maven home: /usr/local/Cellar/maven/3.8.4/libexec
> >> Java version: 1.8.0_312, vendor: Homebrew, runtime:
> >> /usr/local/Cellar/openjdk@8
> >> /1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre
> >> Default locale: en_US, platform encoding: UTF-8
> >> OS name: "mac os x", version: "12.0.1", arch: "x86_64", family: "mac"
> >>
> >> I can reproduce this from Eclipse by running the one test class.
> >>
> >> The test uses a Java lookup here:
> >>
> https://github.com/apache/logging-log4j2/blob/ad361d2e517e765f69db464d9407ac2dd80bc93e/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/YamlLayoutTest.java#L312
> >>
> >> And expects it to be present here:
> >>
> https://github.com/apache/logging-log4j2/blob/ad361d2e517e765f69db464d9407ac2dd80bc93e/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/YamlLayoutTest.java#L318
> >>
> >> (1) Should this test pass or fail? I thought we disabled lookups
> _except_
> >> in configuration files.
> >> (2) If the test should pass, is _my_ failure due to some line length or
> >> line wrapping issue?
> >>
> >> TY and congrats to all of us for spending so much time on this,
> >> Gary
> >>
> >>
> >> On Tue, Dec 14, 2021 at 12:58 AM Ralph Goers <
> ralph.go...@dslextreme.com>
> >> wrote:
> >>
> >>> This is a vote to release Log4j 2.12.2, a security release for Java 7
> >>> users.
> >>>
> >>> Please download, test, and cast your votes on the log4j developers
> list.
> >>> [] +1, release the artifacts
> >>> [] -1, don't release because...
> >>>
> >>> The vote will remain open for as short amount as time as required to
> vet
> >>> the release. All votes are welcome and we encourage everyone to test
> the
> >>> release, but only Logging PMC votes are “officially” counted. As
> always, at
> >>> least 3 +1 votes and more positive than negative votes are required.
> >>>
> >>> Changes in this version include:
> >>>
> >>> Fixed Bugs
> >>>
> >>>• LOG4J-3220: Disable JNDI by default, remove JNDI Lookup,
> remove
> >>> message lookups. When enabled JNDI only supports the java protocol.
> >>>
> >>> Tag:
> >>> a)  for a new copy do "git clone
> >>> https://github.com/apache/logging-log4j2.git"; and then "git checkout
> >>> tags/log4j-2.12.2-rc1”  or just "git clone -b log4j-2.12.2-rc1
> >>> https://github.com/apache/logging-log4j2.git";
> >>> b) for an existing working copy to “git pull” and then “git checkout
> >>> tags/log4j-2.12.2-rc1”
> >>>
> >>> Web Site:  No web site was generated for this rele

Re: [VOTE] Release Log4j 2.12.2-rc1

[Gary Gregory]

My local build got further but failed dramatically:

[INFO] Apache Log4j Cassandra . FAILURE [
 4.748 s]
...
[INFO]

[INFO] BUILD FAILURE
[INFO]

[INFO] Total time:  16:32 min
[INFO] Finished at: 2021-12-14T10:51:28-05:00
[INFO]

[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-failsafe-plugin:2.22.2:verify (default) on
project log4j-cassandra: There are test failures.
[ERROR]
[ERROR] Please refer to
/Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra/target/failsafe-reports
for the individual test results.
[ERROR] Please refer to dump files (if any exist) [date].dump,
[date]-jvmRun[N].dump and [date].dumpstream.
[ERROR] org.apache.maven.surefire.booter.SurefireBooterForkException:
ExecutionException The forked VM terminated without properly saying
goodbye. VM crash or System.exit called?
[ERROR] Command was /bin/sh -c cd
/Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra &&
/usr/local/Cellar/openjdk@8/1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre/bin/java
-Xms256m -Xmx1024m -jar
/Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra/target/surefire/surefirebooter96790289588861473.jar
/Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra/target/surefire
2021-12-14T10-35-49_975-jvmRun1 surefire8996434553780933957tmp
surefire_91212199057030638099tmp
[ERROR] Error occurred in starting fork, check output in log
[ERROR] Process Exit Code: 134
[ERROR] at
org.apache.maven.plugin.surefire.booterclient.ForkStarter.awaitResultsDone(ForkStarter.java:510)
[ERROR] at
org.apache.maven.plugin.surefire.booterclient.ForkStarter.runSuitesForkPerTestSet(ForkStarter.java:457)
[ERROR] at
org.apache.maven.plugin.surefire.booterclient.ForkStarter.run(ForkStarter.java:298)
[ERROR] at
org.apache.maven.plugin.surefire.booterclient.ForkStarter.run(ForkStarter.java:246)
[ERROR] at
org.apache.maven.plugin.surefire.AbstractSurefireMojo.executeProvider(AbstractSurefireMojo.java:1183)
[ERROR] at
org.apache.maven.plugin.surefire.AbstractSurefireMojo.executeAfterPreconditionsChecked(AbstractSurefireMojo.java:1011)
[ERROR] at
org.apache.maven.plugin.surefire.AbstractSurefireMojo.execute(AbstractSurefireMojo.java:857)
[ERROR] at
org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:137)
[ERROR] at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:210)
[ERROR] at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:156)
[ERROR] at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:148)
[ERROR] at
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
[ERROR] at
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
[ERROR] at
org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:56)
[ERROR] at
org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
[ERROR] at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:305)
[ERROR] at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:192)
[ERROR] at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:105)
[ERROR] at org.apache.maven.cli.MavenCli.execute(MavenCli.java:972)
[ERROR] at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:293)
[ERROR] at org.apache.maven.cli.MavenCli.main(MavenCli.java:196)
[ERROR] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[ERROR] at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[ERROR] at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[ERROR] at java.lang.reflect.Method.invoke(Method.java:498)
[ERROR] at
org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
[ERROR] at
org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
[ERROR] at
org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
[ERROR] at
org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
[ERROR] Caused by:
org.apache.maven.surefire.booter.SurefireBooterForkException: The forked VM
terminated without properly saying goodbye. VM crash or System.exit called?
[ERROR] Command was /bin/sh -c cd
/Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra &&
/usr/local/Cellar/openjdk@8/1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre/bin/java
-Xms256m -Xmx1024m -jar
/Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra/target/surefire/surefirebooter96790289588861473.jar
/Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra/target/surefire
2021-12-14T10-35-49_975-jvmRun1 surefire8996434553780933957tmp
surefire_91212199057030638099

Re: [VOTE] Release Log4j 2.12.2-rc1

[Gary Gregory]

Fails all the time :-( from that point on using 'mvn clean install -V -rf
log4j-cassandra', digging...

On Tue, Dec 14, 2021 at 11:00 AM Gary Gregory 
wrote:

> My local build got further but failed dramatically:
>
> [INFO] Apache Log4j Cassandra . FAILURE [
>  4.748 s]
> ...
> [INFO]
> 
> [INFO] BUILD FAILURE
> [INFO]
> 
> [INFO] Total time:  16:32 min
> [INFO] Finished at: 2021-12-14T10:51:28-05:00
> [INFO]
> 
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-failsafe-plugin:2.22.2:verify (default) on
> project log4j-cassandra: There are test failures.
> [ERROR]
> [ERROR] Please refer to
> /Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra/target/failsafe-reports
> for the individual test results.
> [ERROR] Please refer to dump files (if any exist) [date].dump,
> [date]-jvmRun[N].dump and [date].dumpstream.
> [ERROR] org.apache.maven.surefire.booter.SurefireBooterForkException:
> ExecutionException The forked VM terminated without properly saying
> goodbye. VM crash or System.exit called?
> [ERROR] Command was /bin/sh -c cd
> /Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra &&
> /usr/local/Cellar/openjdk@8/1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre/bin/java
> -Xms256m -Xmx1024m -jar
> /Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra/target/surefire/surefirebooter96790289588861473.jar
> /Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra/target/surefire
> 2021-12-14T10-35-49_975-jvmRun1 surefire8996434553780933957tmp
> surefire_91212199057030638099tmp
> [ERROR] Error occurred in starting fork, check output in log
> [ERROR] Process Exit Code: 134
> [ERROR] at
> org.apache.maven.plugin.surefire.booterclient.ForkStarter.awaitResultsDone(ForkStarter.java:510)
> [ERROR] at
> org.apache.maven.plugin.surefire.booterclient.ForkStarter.runSuitesForkPerTestSet(ForkStarter.java:457)
> [ERROR] at
> org.apache.maven.plugin.surefire.booterclient.ForkStarter.run(ForkStarter.java:298)
> [ERROR] at
> org.apache.maven.plugin.surefire.booterclient.ForkStarter.run(ForkStarter.java:246)
> [ERROR] at
> org.apache.maven.plugin.surefire.AbstractSurefireMojo.executeProvider(AbstractSurefireMojo.java:1183)
> [ERROR] at
> org.apache.maven.plugin.surefire.AbstractSurefireMojo.executeAfterPreconditionsChecked(AbstractSurefireMojo.java:1011)
> [ERROR] at
> org.apache.maven.plugin.surefire.AbstractSurefireMojo.execute(AbstractSurefireMojo.java:857)
> [ERROR] at
> org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:137)
> [ERROR] at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:210)
> [ERROR] at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:156)
> [ERROR] at
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:148)
> [ERROR] at
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
> [ERROR] at
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
> [ERROR] at
> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:56)
> [ERROR] at
> org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
> [ERROR] at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:305)
> [ERROR] at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:192)
> [ERROR] at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:105)
> [ERROR] at org.apache.maven.cli.MavenCli.execute(MavenCli.java:972)
> [ERROR] at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:293)
> [ERROR] at org.apache.maven.cli.MavenCli.main(MavenCli.java:196)
> [ERROR] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [ERROR] at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> [ERROR] at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [ERROR] at java.lang.reflect.Method.invoke(Method.java:498)
> [ERROR] at
> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
> [ERROR] at
> org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
> [ERROR] at
> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
> [ERROR] at
> org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
> [ERROR] Caused by:
> org.apache.maven.surefire.booter.SurefireBooterForkException: The forked VM
> terminated without properly saying goodbye. VM crash or System.exit called?
> [ERROR] Command was /bin/sh -c cd
> /Users/garydgregory/git/logging-log4j-2.12/log4j-cassandra &&
> /usr/local/Cellar/openjdk@8/1.8.0+312/libexec

Re: [VOTE] Release Log4j 2.12.2-rc1

[Gary Gregory]

FTR, here the crash, even after updating FailSafe to the current 3.0.0-M5:

#

# A fatal error has been detected by the Java Runtime Environment:

#

#  SIGSEGV (0xb) at pc=0x00010805ec4c, pid=27510, tid=0x3d03

#

# JRE version: OpenJDK Runtime Environment (8.0_312) (build
1.8.0_312-bre_2021_10_20_23_15-b00)

# Java VM: OpenJDK 64-Bit Server VM (25.312-b00 mixed mode bsd-amd64
compressed oops)

# Problematic frame:

# V  [libjvm.dylib+0x545c4c]

#

# Failed to write core dump. Core dumps have been disabled. To enable core
dumping, try "ulimit -c unlimited" before starting Java again

#

# If you would like to submit a bug report, please visit:

#   https://github.com/Homebrew/homebrew-core/issues

#


---  T H R E A D  ---


Current thread (0x7fd6de26e000):  JavaThread "Log4j2-TF-1-Cassandra-1"
[_thread_in_vm, id=15619, stack(0x72f0f000,0x7300f000)]


siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr:
0x


Registers:

RAX=0x0001081f4f90, RBX=0x7fd6de26e000, RCX=0x7fd6dfdf6015,
RDX=0x

RSP=0x7300d460, RBP=0x7300d490, RSI=0x0006,
RDI=0x7300d468

R8 =0x0001081f3ed0, R9 =0x0001081f3ed0, R10=0x00010887b08c,
R11=0x00010887b058

R12=0x, R13=0x7300d500, R14=0x7fd6dfdf6015,
R15=0x

RIP=0x00010805ec4c, EFLAGS=0x00010246, ERR=0x0004

  TRAPNO=0x000e


Top of Stack: (sp=0x7300d460)

0x7300d460:   63ef04e0 7fd6de26e000

0x7300d470:   7fd6de26e000 000119512dd0

0x7300d480:   7300d5b0 7fd6de26e000

0x7300d490:   7300d4e0 00010887b0fe

0x7300d4a0:   0007802f76c0 

0x7300d4b0:   7300d4f0 00011ea9a138

0x7300d4c0:   7300d4e0 000107c3fea4

0x7300d4d0:   625fdb28 7fd6de26e000

0x7300d4e0:   7300d570 00010849c700

0x7300d4f0:   7fd6de26e000 00010849c700

0x7300d500:   7fd6dfdf6015 7300d5b0

0x7300d510:    0007802f76c0

0x7300d520:    0007af5be898

0x7300d530:   7300d530 00011c56073b

0x7300d540:   7300d5b0 00011c560fd8

0x7300d550:    00011c5607b0

0x7300d560:   7300d500 7300d588

0x7300d570:   7300d5f8 00010849cffd

0x7300d580:    0003

0x7300d590:    0007af5be898

0x7300d5a0:   7fd6dfdf6015 00010849c7d0

0x7300d5b0:    7300d5b8

0x7300d5c0:   00011c56060e 7300d630

0x7300d5d0:   00011c560fd8 

0x7300d5e0:   00011c560678 7300d588

0x7300d5f0:   7300d608 7300d678

0x7300d600:   00010849cffd 0003

0x7300d610:    0007af5be868

0x7300d620:   7fd6dfdf6015 0007af5a87a0

0x7300d630:    7300d638

0x7300d640:   00011c5604ce 7300d6c8

0x7300d650:   00011c560fd8 


Instructions: (pc=0x00010805ec4c)

0x00010805ec2c:   7f fe ff 31 db 48 8d 7d d8 48 89 1f be 06 00 00

0x00010805ec3c:   00 e8 5a 11 df ff 48 89 5d e0 41 f6 c7 01 75 05

0x00010805ec4c:   49 8b 07 eb 08 4c 89 ff e8 6d fc dd ff 42 0f be

0x00010805ec5c:   1c 30 48 8d 7d e0 e8 e9 e0 bd ff 48 8d 7d d8 be


Register to memory mapping:


RAX=0x0001081f4f90: _ZN20SafepointSynchronize6_stateE+0 in /usr
/local/Cellar/openjdk@8/1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre/lib/server/libjvm.dylib
at 0x000107b19000

RBX=0x7fd6de26e000 is a thread

RCX=0x7fd6dfdf6015 is an unknown value

RDX=0x is an unknown value

RSP=0x7300d460 is pointing into the stack for thread:
0x7fd6de26e000

RBP=0x7300d490 is pointing into the stack for thread:
0x7fd6de26e000

RSI=0x0006 is an unknown value

RDI=0x7300d468 is pointing into the stack for thread:
0x7fd6de26e000

R8 =0x0001081f3ed0: _ZN2os16_processor_countE+0 in /usr/local/Cellar/
openjdk@8/1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre/lib/server/libjvm.dylib
at 0x000107b19000

R9 =0x0001081f3ed0: _ZN2os16_processor_countE+0 in /usr/local/Cellar/
openjdk@8/1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre/lib/server/libjvm.dylib
at 0x000107b19000

R10=0x00010887b08c is at entry_point+76 in (nmethod*)0x00010887aed0

R11=0x00010887b058 is at entry_point+24 in (nmethod*)0x00010887aed0

R12=0x is an unknown value

R13=0x7300d500 is pointing into the stack for thread:
0x7fd6de26e000

R14=0x7fd6dfdf6015 is a

Re: [VOTE] Release Log4j Kotlin API 1.2.0-rc1

[Matt Sicker]

Where is that? On the generated site?
--
Matt Sicker

> On Dec 14, 2021, at 04:46, Gary Gregory  wrote:
> 
> Should JQuery's copyright be in the NOTICE file?
> 
> On Tue, Dec 14, 2021 at 5:45 AM Gary Gregory  wrote:
> 
>> Hi all,
>> 
>> mvn apache-rat:check fails
>> 
>> JQuery is included in the checkout of the tag. Is that a problem?
>> 
>> Gary
>> 
>> On Tue, Dec 14, 2021 at 12:38 AM Matt Sicker  wrote:
>> 
>>> This is a vote to release Log4j Kotlin API version 1.2.0, the next
>>> version of the Kotlin facade for Log4j2.
>>> 
>>> Please download, test, and cast your votes on the log4j developers list.
>>> [] +1, release the artifacts
>>> [] -1, don't release because...
>>> 
>>> The vote will remain open for 24 hours (or more if required). All votes
>>> are welcome and we encourage everyone to test the release, but only Logging
>>> PMC votes are “officially” counted. As always, at least 3 +1 votesand more
>>> positive than negative votes are required.
>>> 
>>> Changes in this release include:
>>> 
>>> * LOG4J2-3218: Update Log4j dependency to 2.16.0.
>>> 
>>> This is primarily provided to help upgrade transitive dependencies on
>>> log4j-core which was recently updated to fix CVE-2021-44228.
>>> 
>>> Tag:
>>> a)  for a new copy do "git clone
>>> https://github.com/apache/logging-log4j-kotlin.git <
>>> https://github.com/apache/logging-log4j-kotlin.git>” and then "git
>>> checkout tags/log4j-api-kotlin-1.2.0-rc1”  or just "git clone -b
>>> log4j-api-kotlin-1.2.0-rc1
>>> https://github.com/apache/logging-log4j-kotlin.git <
>>> https://github.com/apache/logging-log4j-kotlin.git>"
>>> b) for an existing working copy to “git pull” and then “git checkout
>>> tags/log4j-api-kotlin-1.2.0-rc1”
>>> 
>>> Web Site: https://logging.staged.apache.org/log4j/kotlin/index.html
>>> 
>>> Maven Artifacts:
>>> https://repository.apache.org/content/repositories/orgapachelogging-1069/
>>> 
>>> Distribution archives:
>>> https://dist.apache.org/repos/dist/dev/logging/log4j/kotlin/
>>> 
>>> You may download all the Maven artifacts by executing:
>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
>>> https://repository.apache.org/content/repositories/orgapachelogging-1069/org/apache/logging/log4j/
>>> 
>>> --
>>> Matt Sicker
>>> 
>>> 

Re: log4net

[Matt Sicker]

JNDI is a Java API (Java Naming and Directory Interface) for abstracting 
various networking APIs like LDAP, DNS, etc. It’s not present in .NET or C++ 
(or any non-JVM language), so it does not affect log4net or log4cxx.
--
Matt Sicker

> On Dec 14, 2021, at 08:54, David Schwartz  wrote:
> 
> Hi Joe,
> 
> Adding to what Davyd wrote.  I just searched the codebase and the JndiLookup 
> class (where the log4j vulnerability was found) does not exist in log4net.  
> In fact, there is no code related to jndi at all as far as I can see.
> 
> David
> 
> -Original Message-
> From: Davyd McColl mailto:dav...@gmail.com>>
> Sent: Tuesday, December 14, 2021 4:10 PM
> To: dev@logging.apache.org 
> Subject: [EXTERNAL] Re: log4net
> 
> Hi Joe
> 
> No, it shouldn't, particularly because we're very different projects, on very 
> different platforms, and I understand that the log4j vuln is largely linked 
> to a  _dependency_ of log4j. The closest we've had was an xml vuln that was 
> patched some time ago.
> 
> That being said, I'm currently the only maintainer and I definitely have 
> written the least code in log4net, so if you or anyone else would like to 
> audit for vulnerabilities (and, even better, PR mitigations), I'm all for it.
> 
> -d
> 
> 
> On December 14, 2021 16:03:39 Joe Kelly  wrote:
> 
>> I was wondering if the log4net service has a similar vulnerability as
>> log4j. There isn't any information on the log4net security page and
>> the current version of 2.0.13 doesn't match the log4j version of 2.16.0.
>> 
>> Joe Kelly
>> Information Security Analyst
>> P: 405.763.5425
>> F: 405.602.6337
>> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55 
>> 
>> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
>> > 
>> 55e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouYBYxYhmg$ >
>> 
>> joe.ke...@okcu.org  > > Oklahoma's Credit Union
>> Happy to Help(r)
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> NOTICE:
>> This e-mail is intended solely for the use of the individual to whom
>> it is addressed and may contain information that is privileged,
>> confidential or otherwise exempt from disclosure. If the reader of
>> this e-mail is not the intended recipient or the employee or agent
>> responsible for delivering the message to the intended recipient, you
>> are hereby notified that any dissemination, distribution, or copying
>> of this communication is strictly prohibited. If you have received
>> this communication in error, please immediately notify us by replying
>> to the original message at the listed email address.
>> 
>> Happy to Help
>> Oklahoma's Credit Union
>> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55 
>> 
>> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
> 
> INTERNAL - NI CONFIDENTIAL

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

[Ron Grabowski]

Severity: moderate (CVSS: 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Description:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was 
incomplete in certain non-default configurations. This could allows attackers 
with control over Thread Context Map (MDC) input data when the logging 
configuration uses a non-default Pattern Layout with either a Context Lookup 
(for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or 
%MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a 
denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to 
localhost by default. Note that previous mitigations involving configuration 
such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT 
mitigate this specific vulnerability.

Log4j 2.16.0 fixes this issue by removing support for message lookup patterns 
and disabling JNDI functionality by default.  

This issue can be mitigated in prior releases (<2.16.0) by removing the 
JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class).

References:

https://logging.apache.org/log4j/2.x/security.html
https://www.cve.org/CVERecord?id=CVE-2021-44228

Re: [VOTE] Release Log4j Kotlin API 1.2.0-rc1

[Gary Gregory]

I run 'mvn apache-rat:check' from the command line as part of a review.

A generated site also includes a RAT report.

Gary

On Tue, Dec 14, 2021 at 11:30 AM Matt Sicker  wrote:

> Where is that? On the generated site?
> --
> Matt Sicker
>
> > On Dec 14, 2021, at 04:46, Gary Gregory  wrote:
> >
> > Should JQuery's copyright be in the NOTICE file?
> >
> > On Tue, Dec 14, 2021 at 5:45 AM Gary Gregory 
> wrote:
> >
> >> Hi all,
> >>
> >> mvn apache-rat:check fails
> >>
> >> JQuery is included in the checkout of the tag. Is that a problem?
> >>
> >> Gary
> >>
> >> On Tue, Dec 14, 2021 at 12:38 AM Matt Sicker  wrote:
> >>
> >>> This is a vote to release Log4j Kotlin API version 1.2.0, the next
> >>> version of the Kotlin facade for Log4j2.
> >>>
> >>> Please download, test, and cast your votes on the log4j developers
> list.
> >>> [] +1, release the artifacts
> >>> [] -1, don't release because...
> >>>
> >>> The vote will remain open for 24 hours (or more if required). All votes
> >>> are welcome and we encourage everyone to test the release, but only
> Logging
> >>> PMC votes are “officially” counted. As always, at least 3 +1 votesand
> more
> >>> positive than negative votes are required.
> >>>
> >>> Changes in this release include:
> >>>
> >>> * LOG4J2-3218: Update Log4j dependency to 2.16.0.
> >>>
> >>> This is primarily provided to help upgrade transitive dependencies on
> >>> log4j-core which was recently updated to fix CVE-2021-44228.
> >>>
> >>> Tag:
> >>> a)  for a new copy do "git clone
> >>> https://github.com/apache/logging-log4j-kotlin.git <
> >>> https://github.com/apache/logging-log4j-kotlin.git>” and then "git
> >>> checkout tags/log4j-api-kotlin-1.2.0-rc1”  or just "git clone -b
> >>> log4j-api-kotlin-1.2.0-rc1
> >>> https://github.com/apache/logging-log4j-kotlin.git <
> >>> https://github.com/apache/logging-log4j-kotlin.git>"
> >>> b) for an existing working copy to “git pull” and then “git checkout
> >>> tags/log4j-api-kotlin-1.2.0-rc1”
> >>>
> >>> Web Site: https://logging.staged.apache.org/log4j/kotlin/index.html
> >>>
> >>> Maven Artifacts:
> >>>
> https://repository.apache.org/content/repositories/orgapachelogging-1069/
> >>>
> >>> Distribution archives:
> >>> https://dist.apache.org/repos/dist/dev/logging/log4j/kotlin/
> >>>
> >>> You may download all the Maven artifacts by executing:
> >>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
> >>>
> https://repository.apache.org/content/repositories/orgapachelogging-1069/org/apache/logging/log4j/
> >>>
> >>> --
> >>> Matt Sicker
> >>>
> >>>
>
>

Re: [VOTE] Release Log4j Kotlin API 1.2.0-rc1

[Matt Sicker]

The RAT reports on the site look fine, though. The only files without
a license header are ones that wouldn't normally have one.

On Tue, Dec 14, 2021 at 11:04 AM Gary Gregory  wrote:
>
> I run 'mvn apache-rat:check' from the command line as part of a review.
>
> A generated site also includes a RAT report.
>
> Gary
>
> On Tue, Dec 14, 2021 at 11:30 AM Matt Sicker  wrote:
>
> > Where is that? On the generated site?
> > --
> > Matt Sicker
> >
> > > On Dec 14, 2021, at 04:46, Gary Gregory  wrote:
> > >
> > > Should JQuery's copyright be in the NOTICE file?
> > >
> > > On Tue, Dec 14, 2021 at 5:45 AM Gary Gregory 
> > wrote:
> > >
> > >> Hi all,
> > >>
> > >> mvn apache-rat:check fails
> > >>
> > >> JQuery is included in the checkout of the tag. Is that a problem?
> > >>
> > >> Gary
> > >>
> > >> On Tue, Dec 14, 2021 at 12:38 AM Matt Sicker  wrote:
> > >>
> > >>> This is a vote to release Log4j Kotlin API version 1.2.0, the next
> > >>> version of the Kotlin facade for Log4j2.
> > >>>
> > >>> Please download, test, and cast your votes on the log4j developers
> > list.
> > >>> [] +1, release the artifacts
> > >>> [] -1, don't release because...
> > >>>
> > >>> The vote will remain open for 24 hours (or more if required). All votes
> > >>> are welcome and we encourage everyone to test the release, but only
> > Logging
> > >>> PMC votes are “officially” counted. As always, at least 3 +1 votesand
> > more
> > >>> positive than negative votes are required.
> > >>>
> > >>> Changes in this release include:
> > >>>
> > >>> * LOG4J2-3218: Update Log4j dependency to 2.16.0.
> > >>>
> > >>> This is primarily provided to help upgrade transitive dependencies on
> > >>> log4j-core which was recently updated to fix CVE-2021-44228.
> > >>>
> > >>> Tag:
> > >>> a)  for a new copy do "git clone
> > >>> https://github.com/apache/logging-log4j-kotlin.git <
> > >>> https://github.com/apache/logging-log4j-kotlin.git>” and then "git
> > >>> checkout tags/log4j-api-kotlin-1.2.0-rc1”  or just "git clone -b
> > >>> log4j-api-kotlin-1.2.0-rc1
> > >>> https://github.com/apache/logging-log4j-kotlin.git <
> > >>> https://github.com/apache/logging-log4j-kotlin.git>"
> > >>> b) for an existing working copy to “git pull” and then “git checkout
> > >>> tags/log4j-api-kotlin-1.2.0-rc1”
> > >>>
> > >>> Web Site: https://logging.staged.apache.org/log4j/kotlin/index.html
> > >>>
> > >>> Maven Artifacts:
> > >>>
> > https://repository.apache.org/content/repositories/orgapachelogging-1069/
> > >>>
> > >>> Distribution archives:
> > >>> https://dist.apache.org/repos/dist/dev/logging/log4j/kotlin/
> > >>>
> > >>> You may download all the Maven artifacts by executing:
> > >>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
> > >>>
> > https://repository.apache.org/content/repositories/orgapachelogging-1069/org/apache/logging/log4j/
> > >>>
> > >>> --
> > >>> Matt Sicker
> > >>>
> > >>>
> >
> >

Re: [VOTE] Release Log4j 2.12.2-rc1

[Carter Kozak]

+1

validated the build and signatures, tests in core modules.

On Tue, Dec 14, 2021, at 00:58, Ralph Goers wrote:
> This is a vote to release Log4j 2.12.2, a security release for Java 7 users.
> 
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artifacts
> [] -1, don't release because...
> 
> The vote will remain open for as short amount as time as required to vet the 
> release. All votes are welcome and we encourage everyone to test the release, 
> but only Logging PMC votes are “officially” counted. As always, at least 3 +1 
> votes and more positive than negative votes are required.
> 
> Changes in this version include:
> 
> Fixed Bugs
> 
> • LOG4J-3220: Disable JNDI by default, remove JNDI Lookup, remove message 
> lookups. When enabled JNDI only supports the java protocol.
> 
> Tag: 
> a)  for a new copy do "git clone 
> https://github.com/apache/logging-log4j2.git"; and then "git checkout 
> tags/log4j-2.12.2-rc1”  or just "git clone -b log4j-2.12.2-rc1 
> https://github.com/apache/logging-log4j2.git";
> b) for an existing working copy to “git pull” and then “git checkout 
> tags/log4j-2.12.2-rc1”
> 
> Web Site:  No web site was generated for this release. The 2.16.0 web site 
> will be updated appropriately.
> 
> Maven Artifacts: 
> https://repository.apache.org/content/repositories/orgapachelogging-1070
> 
> Distribution archives: https://dist.apache.org/repos/dist/dev/logging/log4j/ 
> 
> You may download all the Maven artifacts by executing:
> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate 
> https://repository.apache.org/content/repositories/orgapachelogging-1070/org/apache/logging/log4j/

-ck

Re: [VOTE] Release Log4j 2.12.2-rc1

[Remko Popma]

+1 very light validation but ran a simple test program against the binaries

On Wed, Dec 15, 2021 at 3:19 AM Carter Kozak  wrote:

> +1
>
> validated the build and signatures, tests in core modules.
>
> On Tue, Dec 14, 2021, at 00:58, Ralph Goers wrote:
> > This is a vote to release Log4j 2.12.2, a security release for Java 7
> users.
> >
> > Please download, test, and cast your votes on the log4j developers list.
> > [] +1, release the artifacts
> > [] -1, don't release because...
> >
> > The vote will remain open for as short amount as time as required to vet
> the release. All votes are welcome and we encourage everyone to test the
> release, but only Logging PMC votes are “officially” counted. As always, at
> least 3 +1 votes and more positive than negative votes are required.
> >
> > Changes in this version include:
> >
> > Fixed Bugs
> >
> > • LOG4J-3220: Disable JNDI by default, remove JNDI Lookup, remove
> message lookups. When enabled JNDI only supports the java protocol.
> >
> > Tag:
> > a)  for a new copy do "git clone
> https://github.com/apache/logging-log4j2.git"; and then "git checkout
> tags/log4j-2.12.2-rc1”  or just "git clone -b log4j-2.12.2-rc1
> https://github.com/apache/logging-log4j2.git";
> > b) for an existing working copy to “git pull” and then “git checkout
> tags/log4j-2.12.2-rc1”
> >
> > Web Site:  No web site was generated for this release. The 2.16.0 web
> site will be updated appropriately.
> >
> > Maven Artifacts:
> https://repository.apache.org/content/repositories/orgapachelogging-1070
> >
> > Distribution archives:
> https://dist.apache.org/repos/dist/dev/logging/log4j/
> >
> > You may download all the Maven artifacts by executing:
> > wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
> https://repository.apache.org/content/repositories/orgapachelogging-1070/org/apache/logging/log4j/
>
> -ck

Re: [VOTE] Release Log4j 2.12.2-rc1

[Ralph Goers]

My +1

Ralph

> On Dec 14, 2021, at 11:26 AM, Remko Popma  wrote:
> 
> +1 very light validation but ran a simple test program against the binaries
> 
> On Wed, Dec 15, 2021 at 3:19 AM Carter Kozak  wrote:
> 
>> +1
>> 
>> validated the build and signatures, tests in core modules.
>> 
>> On Tue, Dec 14, 2021, at 00:58, Ralph Goers wrote:
>>> This is a vote to release Log4j 2.12.2, a security release for Java 7
>> users.
>>> 
>>> Please download, test, and cast your votes on the log4j developers list.
>>> [] +1, release the artifacts
>>> [] -1, don't release because...
>>> 
>>> The vote will remain open for as short amount as time as required to vet
>> the release. All votes are welcome and we encourage everyone to test the
>> release, but only Logging PMC votes are “officially” counted. As always, at
>> least 3 +1 votes and more positive than negative votes are required.
>>> 
>>> Changes in this version include:
>>> 
>>> Fixed Bugs
>>> 
>>> • LOG4J-3220: Disable JNDI by default, remove JNDI Lookup, remove
>> message lookups. When enabled JNDI only supports the java protocol.
>>> 
>>> Tag:
>>> a)  for a new copy do "git clone
>> https://github.com/apache/logging-log4j2.git"; and then "git checkout
>> tags/log4j-2.12.2-rc1”  or just "git clone -b log4j-2.12.2-rc1
>> https://github.com/apache/logging-log4j2.git";
>>> b) for an existing working copy to “git pull” and then “git checkout
>> tags/log4j-2.12.2-rc1”
>>> 
>>> Web Site:  No web site was generated for this release. The 2.16.0 web
>> site will be updated appropriately.
>>> 
>>> Maven Artifacts:
>> https://repository.apache.org/content/repositories/orgapachelogging-1070
>>> 
>>> Distribution archives:
>> https://dist.apache.org/repos/dist/dev/logging/log4j/
>>> 
>>> You may download all the Maven artifacts by executing:
>>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
>> https://repository.apache.org/content/repositories/orgapachelogging-1070/org/apache/logging/log4j/
>> 
>> -ck

Re: [VOTE] Release Log4j 2.12.2-rc1

[Gary Gregory]

+1

Minor hassle with log4j-Cassandra discussed elsewhere.

Gary

On Tue, Dec 14, 2021, 13:28 Ralph Goers  wrote:

> My +1
>
> Ralph
>
> > On Dec 14, 2021, at 11:26 AM, Remko Popma  wrote:
> >
> > +1 very light validation but ran a simple test program against the
> binaries
> >
> > On Wed, Dec 15, 2021 at 3:19 AM Carter Kozak  wrote:
> >
> >> +1
> >>
> >> validated the build and signatures, tests in core modules.
> >>
> >> On Tue, Dec 14, 2021, at 00:58, Ralph Goers wrote:
> >>> This is a vote to release Log4j 2.12.2, a security release for Java 7
> >> users.
> >>>
> >>> Please download, test, and cast your votes on the log4j developers
> list.
> >>> [] +1, release the artifacts
> >>> [] -1, don't release because...
> >>>
> >>> The vote will remain open for as short amount as time as required to
> vet
> >> the release. All votes are welcome and we encourage everyone to test the
> >> release, but only Logging PMC votes are “officially” counted. As
> always, at
> >> least 3 +1 votes and more positive than negative votes are required.
> >>>
> >>> Changes in this version include:
> >>>
> >>> Fixed Bugs
> >>>
> >>> • LOG4J-3220: Disable JNDI by default, remove JNDI Lookup, remove
> >> message lookups. When enabled JNDI only supports the java protocol.
> >>>
> >>> Tag:
> >>> a)  for a new copy do "git clone
> >> https://github.com/apache/logging-log4j2.git"; and then "git checkout
> >> tags/log4j-2.12.2-rc1”  or just "git clone -b log4j-2.12.2-rc1
> >> https://github.com/apache/logging-log4j2.git";
> >>> b) for an existing working copy to “git pull” and then “git checkout
> >> tags/log4j-2.12.2-rc1”
> >>>
> >>> Web Site:  No web site was generated for this release. The 2.16.0 web
> >> site will be updated appropriately.
> >>>
> >>> Maven Artifacts:
> >>
> https://repository.apache.org/content/repositories/orgapachelogging-1070
> >>>
> >>> Distribution archives:
> >> https://dist.apache.org/repos/dist/dev/logging/log4j/
> >>>
> >>> You may download all the Maven artifacts by executing:
> >>> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
> >>
> https://repository.apache.org/content/repositories/orgapachelogging-1070/org/apache/logging/log4j/
> >>
> >> -ck
>
>

[RESULT][VOTE] Release Log4j 2.12.2-rc1

[Ralph Goers]

This vote passed with +1 votes from Matt Sicker, Carter Kozak, Remko Popma, 
Ralph Goers, and Gary Gregory. There were no other votes. 

I will continue with the release.

Ralph

Fwd: git master and Serializable

[Gary Gregory]

I think we should drop implementing Serializable on anything for 3.0.0.

A la Effective Java #85.

Gary

Re: git master and Serializable

[Matt Sicker]

Agreed. While the serialization logic for Logger is pretty trivial, it
would be best to avoid serialization APIs entirely.

On Tue, Dec 14, 2021 at 12:42 PM Gary Gregory  wrote:
>
> I think we should drop implementing Serializable on anything for 3.0.0.
>
> A la Effective Java #85.
>
> Gary

Re: git master and Serializable

[Gary Gregory]

Tracking here: https://issues.apache.org/jira/browse/LOG4J2-3228

Gary

On Tue, Dec 14, 2021, 13:46 Matt Sicker  wrote:

> Agreed. While the serialization logic for Logger is pretty trivial, it
> would be best to avoid serialization APIs entirely.
>
> On Tue, Dec 14, 2021 at 12:42 PM Gary Gregory 
> wrote:
> >
> > I think we should drop implementing Serializable on anything for 3.0.0.
> >
> > A la Effective Java #85.
> >
> > Gary
>

Answering FAQ regarding recent CVEs, was: log4net

[Dominik Psenner]

This question has been asked several times now. I'm proposing to update the
website so that it is more obvious that log4net and log4xx are not affected.

On Tue, 14 Dec 2021 at 17:48, Matt Sicker  wrote:

> JNDI is a Java API (Java Naming and Directory Interface) for abstracting
> various networking APIs like LDAP, DNS, etc. It’s not present in .NET or
> C++ (or any non-JVM language), so it does not affect log4net or log4cxx.
> --
> Matt Sicker
>
> > On Dec 14, 2021, at 08:54, David Schwartz  wrote:
> >
> > Hi Joe,
> >
> > Adding to what Davyd wrote.  I just searched the codebase and the
> JndiLookup class (where the log4j vulnerability was found) does not exist
> in log4net.  In fact, there is no code related to jndi at all as far as I
> can see.
> >
> > David
> >
> > -Original Message-
> > From: Davyd McColl mailto:dav...@gmail.com>>
> > Sent: Tuesday, December 14, 2021 4:10 PM
> > To: dev@logging.apache.org 
> > Subject: [EXTERNAL] Re: log4net
> >
> > Hi Joe
> >
> > No, it shouldn't, particularly because we're very different projects, on
> very different platforms, and I understand that the log4j vuln is largely
> linked to a  _dependency_ of log4j. The closest we've had was an xml vuln
> that was patched some time ago.
> >
> > That being said, I'm currently the only maintainer and I definitely have
> written the least code in log4net, so if you or anyone else would like to
> audit for vulnerabilities (and, even better, PR mitigations), I'm all for
> it.
> >
> > -d
> >
> >
> > On December 14, 2021 16:03:39 Joe Kelly  wrote:
> >
> >> I was wondering if the log4net service has a similar vulnerability as
> >> log4j. There isn't any information on the log4net security page and
> >> the current version of 2.0.13 doesn't match the log4j version of 2.16.0.
> >>
> >> Joe Kelly
> >> Information Security Analyst
> >> P: 405.763.5425
> >> F: 405.602.6337
> >> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55
> 
> >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
> >>  
> >> 55e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouYBYxYhmg$ >
> >>
> >> joe.ke...@okcu.org   joe.ke...@okcu.org > Oklahoma's Credit Union
> >> Happy to Help(r)
> >>
> >>
> >>
> >>
> >>
> >> 
> >>
> >> NOTICE:
> >> This e-mail is intended solely for the use of the individual to whom
> >> it is addressed and may contain information that is privileged,
> >> confidential or otherwise exempt from disclosure. If the reader of
> >> this e-mail is not the intended recipient or the employee or agent
> >> responsible for delivering the message to the intended recipient, you
> >> are hereby notified that any dissemination, distribution, or copying
> >> of this communication is strictly prohibited. If you have received
> >> this communication in error, please immediately notify us by replying
> >> to the original message at the listed email address.
> >>
> >> Happy to Help
> >> Oklahoma's Credit Union
> >> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55
> 
> >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
> >
> > INTERNAL - NI CONFIDENTIAL
>
>

-- 
Dominik Psenner

Re: Answering FAQ regarding recent CVEs, was: log4net

[Mayank Kumar]

can someone help me unsubscribe to this email group ? I have tried
manytimes , but not succeeded ?

-Mayank

On Tue, Dec 14, 2021 at 12:16 PM Dominik Psenner  wrote:

> This question has been asked several times now. I'm proposing to update the
> website so that it is more obvious that log4net and log4xx are not
> affected.
>
> On Tue, 14 Dec 2021 at 17:48, Matt Sicker  wrote:
>
> > JNDI is a Java API (Java Naming and Directory Interface) for abstracting
> > various networking APIs like LDAP, DNS, etc. It’s not present in .NET or
> > C++ (or any non-JVM language), so it does not affect log4net or log4cxx.
> > --
> > Matt Sicker
> >
> > > On Dec 14, 2021, at 08:54, David Schwartz 
> wrote:
> > >
> > > Hi Joe,
> > >
> > > Adding to what Davyd wrote.  I just searched the codebase and the
> > JndiLookup class (where the log4j vulnerability was found) does not exist
> > in log4net.  In fact, there is no code related to jndi at all as far as I
> > can see.
> > >
> > > David
> > >
> > > -Original Message-
> > > From: Davyd McColl mailto:dav...@gmail.com>>
> > > Sent: Tuesday, December 14, 2021 4:10 PM
> > > To: dev@logging.apache.org 
> > > Subject: [EXTERNAL] Re: log4net
> > >
> > > Hi Joe
> > >
> > > No, it shouldn't, particularly because we're very different projects,
> on
> > very different platforms, and I understand that the log4j vuln is largely
> > linked to a  _dependency_ of log4j. The closest we've had was an xml vuln
> > that was patched some time ago.
> > >
> > > That being said, I'm currently the only maintainer and I definitely
> have
> > written the least code in log4net, so if you or anyone else would like to
> > audit for vulnerabilities (and, even better, PR mitigations), I'm all for
> > it.
> > >
> > > -d
> > >
> > >
> > > On December 14, 2021 16:03:39 Joe Kelly  wrote:
> > >
> > >> I was wondering if the log4net service has a similar vulnerability as
> > >> log4j. There isn't any information on the log4net security page and
> > >> the current version of 2.0.13 doesn't match the log4j version of
> 2.16.0.
> > >>
> > >> Joe Kelly
> > >> Information Security Analyst
> > >> P: 405.763.5425
> > >> F: 405.602.6337
> > >>
> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55
> > 
> > >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
> > >> <
> https://urldefense.com/v3/__https://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye
> > 
> > >> 55e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouYBYxYhmg$ >
> > >>
> > >> joe.ke...@okcu.org   > joe.ke...@okcu.org > Oklahoma's Credit Union
> > >> Happy to Help(r)
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> 
> > >>
> > >> NOTICE:
> > >> This e-mail is intended solely for the use of the individual to whom
> > >> it is addressed and may contain information that is privileged,
> > >> confidential or otherwise exempt from disclosure. If the reader of
> > >> this e-mail is not the intended recipient or the employee or agent
> > >> responsible for delivering the message to the intended recipient, you
> > >> are hereby notified that any dissemination, distribution, or copying
> > >> of this communication is strictly prohibited. If you have received
> > >> this communication in error, please immediately notify us by replying
> > >> to the original message at the listed email address.
> > >>
> > >> Happy to Help
> > >> Oklahoma's Credit Union
> > >>
> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55
> > 
> > >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
> > >
> > > INTERNAL - NI CONFIDENTIAL
> >
> >
>
> --
> Dominik Psenner
>


-- 
Regards
Mayank

Re: Answering FAQ regarding recent CVEs, was: log4net

[Dominik Psenner]

See:

https://logging.apache.org/mailing-lists.html

--
Sent from my phone. Typos are a kind gift to anyone who happens to find
them.

On Tue, Dec 14, 2021, 21:24 Mayank Kumar  wrote:

> can someone help me unsubscribe to this email group ? I have tried
> manytimes , but not succeeded ?
>
> -Mayank
>
> On Tue, Dec 14, 2021 at 12:16 PM Dominik Psenner 
> wrote:
>
> > This question has been asked several times now. I'm proposing to update
> the
> > website so that it is more obvious that log4net and log4xx are not
> > affected.
> >
> > On Tue, 14 Dec 2021 at 17:48, Matt Sicker  wrote:
> >
> > > JNDI is a Java API (Java Naming and Directory Interface) for
> abstracting
> > > various networking APIs like LDAP, DNS, etc. It’s not present in .NET
> or
> > > C++ (or any non-JVM language), so it does not affect log4net or
> log4cxx.
> > > --
> > > Matt Sicker
> > >
> > > > On Dec 14, 2021, at 08:54, David Schwartz 
> > wrote:
> > > >
> > > > Hi Joe,
> > > >
> > > > Adding to what Davyd wrote.  I just searched the codebase and the
> > > JndiLookup class (where the log4j vulnerability was found) does not
> exist
> > > in log4net.  In fact, there is no code related to jndi at all as far
> as I
> > > can see.
> > > >
> > > > David
> > > >
> > > > -Original Message-
> > > > From: Davyd McColl mailto:dav...@gmail.com>>
> > > > Sent: Tuesday, December 14, 2021 4:10 PM
> > > > To: dev@logging.apache.org 
> > > > Subject: [EXTERNAL] Re: log4net
> > > >
> > > > Hi Joe
> > > >
> > > > No, it shouldn't, particularly because we're very different projects,
> > on
> > > very different platforms, and I understand that the log4j vuln is
> largely
> > > linked to a  _dependency_ of log4j. The closest we've had was an xml
> vuln
> > > that was patched some time ago.
> > > >
> > > > That being said, I'm currently the only maintainer and I definitely
> > have
> > > written the least code in log4net, so if you or anyone else would like
> to
> > > audit for vulnerabilities (and, even better, PR mitigations), I'm all
> for
> > > it.
> > > >
> > > > -d
> > > >
> > > >
> > > > On December 14, 2021 16:03:39 Joe Kelly  wrote:
> > > >
> > > >> I was wondering if the log4net service has a similar vulnerability
> as
> > > >> log4j. There isn't any information on the log4net security page and
> > > >> the current version of 2.0.13 doesn't match the log4j version of
> > 2.16.0.
> > > >>
> > > >> Joe Kelly
> > > >> Information Security Analyst
> > > >> P: 405.763.5425
> > > >> F: 405.602.6337
> > > >>
> > https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55
> > > <
> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55>
> > > >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
> > > >> <
> > https://urldefense.com/v3/__https://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye
> > >  >
> > > >> 55e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouYBYxYhmg$ >
> > > >>
> > > >> joe.ke...@okcu.org   > > joe.ke...@okcu.org > Oklahoma's Credit
> Union
> > > >> Happy to Help(r)
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> 
> > > >>
> > > >> NOTICE:
> > > >> This e-mail is intended solely for the use of the individual to whom
> > > >> it is addressed and may contain information that is privileged,
> > > >> confidential or otherwise exempt from disclosure. If the reader of
> > > >> this e-mail is not the intended recipient or the employee or agent
> > > >> responsible for delivering the message to the intended recipient,
> you
> > > >> are hereby notified that any dissemination, distribution, or copying
> > > >> of this communication is strictly prohibited. If you have received
> > > >> this communication in error, please immediately notify us by
> replying
> > > >> to the original message at the listed email address.
> > > >>
> > > >> Happy to Help
> > > >> Oklahoma's Credit Union
> > > >>
> > https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55
> > > <
> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55>
> > > >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
> > > >
> > > > INTERNAL - NI CONFIDENTIAL
> > >
> > >
> >
> > --
> > Dominik Psenner
> >
>
>
> --
> Regards
> Mayank
>

Re: Answering FAQ regarding recent CVEs, was: log4net

[Mayank Kumar]

thanks, i have sent emails to all lists mentioned there with subject as
unsubscribe.

On Tue, Dec 14, 2021 at 12:49 PM Dominik Psenner  wrote:

> See:
>
> https://logging.apache.org/mailing-lists.html
>
> --
> Sent from my phone. Typos are a kind gift to anyone who happens to find
> them.
>
> On Tue, Dec 14, 2021, 21:24 Mayank Kumar  wrote:
>
> > can someone help me unsubscribe to this email group ? I have tried
> > manytimes , but not succeeded ?
> >
> > -Mayank
> >
> > On Tue, Dec 14, 2021 at 12:16 PM Dominik Psenner 
> > wrote:
> >
> > > This question has been asked several times now. I'm proposing to update
> > the
> > > website so that it is more obvious that log4net and log4xx are not
> > > affected.
> > >
> > > On Tue, 14 Dec 2021 at 17:48, Matt Sicker  wrote:
> > >
> > > > JNDI is a Java API (Java Naming and Directory Interface) for
> > abstracting
> > > > various networking APIs like LDAP, DNS, etc. It’s not present in .NET
> > or
> > > > C++ (or any non-JVM language), so it does not affect log4net or
> > log4cxx.
> > > > --
> > > > Matt Sicker
> > > >
> > > > > On Dec 14, 2021, at 08:54, David Schwartz 
> > > wrote:
> > > > >
> > > > > Hi Joe,
> > > > >
> > > > > Adding to what Davyd wrote.  I just searched the codebase and the
> > > > JndiLookup class (where the log4j vulnerability was found) does not
> > exist
> > > > in log4net.  In fact, there is no code related to jndi at all as far
> > as I
> > > > can see.
> > > > >
> > > > > David
> > > > >
> > > > > -Original Message-
> > > > > From: Davyd McColl mailto:dav...@gmail.com>>
> > > > > Sent: Tuesday, December 14, 2021 4:10 PM
> > > > > To: dev@logging.apache.org 
> > > > > Subject: [EXTERNAL] Re: log4net
> > > > >
> > > > > Hi Joe
> > > > >
> > > > > No, it shouldn't, particularly because we're very different
> projects,
> > > on
> > > > very different platforms, and I understand that the log4j vuln is
> > largely
> > > > linked to a  _dependency_ of log4j. The closest we've had was an xml
> > vuln
> > > > that was patched some time ago.
> > > > >
> > > > > That being said, I'm currently the only maintainer and I definitely
> > > have
> > > > written the least code in log4net, so if you or anyone else would
> like
> > to
> > > > audit for vulnerabilities (and, even better, PR mitigations), I'm all
> > for
> > > > it.
> > > > >
> > > > > -d
> > > > >
> > > > >
> > > > > On December 14, 2021 16:03:39 Joe Kelly 
> wrote:
> > > > >
> > > > >> I was wondering if the log4net service has a similar vulnerability
> > as
> > > > >> log4j. There isn't any information on the log4net security page
> and
> > > > >> the current version of 2.0.13 doesn't match the log4j version of
> > > 2.16.0.
> > > > >>
> > > > >> Joe Kelly
> > > > >> Information Security Analyst
> > > > >> P: 405.763.5425
> > > > >> F: 405.602.6337
> > > > >>
> > > https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55
> > > > <
> > https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55>
> > > > >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
> > > > >> <
> > > https://urldefense.com/v3/__https://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye
> > > > <
> https://urldefense.com/v3/__https://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye
> > >
> > > > >> 55e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouYBYxYhmg$ >
> > > > >>
> > > > >> joe.ke...@okcu.org   > > > joe.ke...@okcu.org > Oklahoma's Credit
> > Union
> > > > >> Happy to Help(r)
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >> 
> > > > >>
> > > > >> NOTICE:
> > > > >> This e-mail is intended solely for the use of the individual to
> whom
> > > > >> it is addressed and may contain information that is privileged,
> > > > >> confidential or otherwise exempt from disclosure. If the reader of
> > > > >> this e-mail is not the intended recipient or the employee or agent
> > > > >> responsible for delivering the message to the intended recipient,
> > you
> > > > >> are hereby notified that any dissemination, distribution, or
> copying
> > > > >> of this communication is strictly prohibited. If you have received
> > > > >> this communication in error, please immediately notify us by
> > replying
> > > > >> to the original message at the listed email address.
> > > > >>
> > > > >> Happy to Help
> > > > >> Oklahoma's Credit Union
> > > > >>
> > > https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55
> > > > <
> > https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55>
> > > > >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$
> > > > >
> > > > > INTERNAL - NI CONFIDENTIAL
> > > >
> > > >
> > >
> > > --
> > > Dominik Psenner
> > >
> >
> >
> > --
> > Regards
> > Mayank
> >
>


-- 
Regards
Mayank

[ANNOUNCE] Apache Log4j 2.12.2 released

[Volkan Yazıcı]

The Apache Log4j 2 team is pleased to announce the Log4j 2.12.2 release!

Apache Log4j is a well known framework for logging application
behavior. Log4j 2 is an upgrade to Log4j that provides significant
improvements over its predecessor, Log4j 1.x, and provides many other
modern features such as support for Markers, lambda expressions for
lazy logging, property substitution using Lookups, multiple patterns
on a PatternLayout and asynchronous Loggers. Another notable Log4j 2
feature is the ability to be "garbage-free" (avoid allocating
temporary objects) while logging. In addition, Log4j 2 will not lose
events while reconfiguring.

The artifacts may be downloaded from
https://logging.apache.org/log4j/log4j-2.12.2/download.html.

This release contains changes addressing only CVE-2021-44228 and
CVE-2021-45046 for users still using Java 7:

* Removed Message Lookups in PatternLayout. "%m{lookup}",
"%m{nolookup}", and variants will still be accepted as conversion
patterns, but have no effect.

* Disabled JNDI by default and only allowing "java" protocol
when enabled.

* Made JNDI Lookup inoperable and removed the message Lookup
capability.

The Log4j 2.12.2 API, as well as many core components, maintains
binary compatibility with previous releases. This version is
recommended as an upgrade.


Apache Log4j 2.12.2 requires a minimum of Java 7 to build and run.
Log4j 2.16.0 is the most recent Log4j release and users are
encouraged to upgrade this version, if possible. Java 7 is no
longer supported by the Log4j team.

For complete information on Apache Log4j 2, including instructions on
how to submit bug reports, patches, or suggestions for improvement,
see the Apache Apache Log4j 2 website:

https://logging.apache.org/log4j/2.x/

Release announcement / download for Log4J 2.12.2

[Rainer Jung]

Hi there,

I saw the release announcement for 2.12.2 on this dev list (in the 
archive). It contains the following download link:


https://logging.apache.org/log4j/log4j-2.12.2/download.html

What is confusing is, that this URL redirects to

https://logging.apache.org/log4j/log4j-2.12.1/download.html

(2.12.1 instead of 2.12.2 in the URL) but that page then contains the 
text and links for 2.12.2. Users might get confused, whether that's 
right, which is a bit problematic in the context of a security release.


Furthermore lower down on that page, there is still the table of 
download links for version 2.12.1, before the next heading "Previous 
Releases" comes under which there is 2.3.


Probably someone forgot to delete the 2.12.1 table?

On the download page https://logging.apache.org/log4j/2.x/download.html 
for the curent version 2.16.0, under "Previous Releases" still only 
2.12.1 is mentioned, not 2.12.2 and the page refers to the archive under 
https://archive.apache.org/dist/logging/log4j/ to download previous 
versions. But in the archive 2.12.2 is not yet present.


I know that the last days were hard and very busy, but it might still 
help to do a little cleanup.


Znanks a lot and best regards,

Rainer

Improvements for release announcements

[Rainer Jung]

Hi there,

I know you can't fix the announcements already sent out, but fpr future 
announcements and in case the release announcement text is also part of 
the log4j web pages one should maybe rephrase:


"Log4j 2 is an upgrade to Log4j that provides significant
improvements ... such as support for... property substitution using 
Lookups..."


The mentioning of lookups here might need clarification. When 2.17.0 
gets out, people might get afraid, that the lookup problem might have 
been reintroduced.


For the sake of completeness: the 2.16.0 announcement also contained:

"Prior to version 2.15.0, Log4j would automatically resolve Lookups
contained in the message or its parameters in the Pattern Layout. This
behavior is no longer the default and must be enabled by specifying
%msg{lookup}."

AFAIK that was true for 2.15.0, but no longer for 2.16.0. The 
announcement for 2.12.2 instead contained the more correct


"Removed Message Lookups in PatternLayout. "%m{lookup}",
"%m{nolookup}", and variants will still be accepted as conversion
patterns, but have no effect."

Thanks and regards,

Rainer

Please set tag rel/2.12.2

[Rainer Jung]

The tag for rel/2.12.2 is missing. The RC tag log4j-2.12.2-rc1 exists, 
but not the rel tag.


Thanks!

Rainer

Re: Improvements for release announcements

[Ralph Goers]

Thanks, the wording of the %msg{lookup} is definitely incorrect but by the time 
it was caught sending out a corrected announcement seemed like it would be even 
more confusing.

While you are at it. Could you please take a look at the web site. What we did 
was very unusual for us - we skipped building a 2.12.2 web site and just added 
some content to 2.12.1 and then
 updated the 2.16.0 site to reflect 2.12.0. Having a fresh set of eyes is most 
welcome. FWIW, the source for the site is in the log4j main repo as part of the 
project source. But the site 
itself is in the logging -log4j-site repo. So you could do PRs there for things 
that need to be fixed. We hand edited everything and have yet to back port it 
to the source but will be 
doing that over the next few days.

Ralph

> On Dec 14, 2021, at 4:13 PM, Rainer Jung  wrote:
> 
> 
> Hi there,
> 
> I know you can't fix the announcements already sent out, but fpr future 
> announcements and in case the release announcement text is also part of the 
> log4j web pages one should maybe rephrase:
> 
> "Log4j 2 is an upgrade to Log4j that provides significant
> improvements ... such as support for... property substitution using 
> Lookups..."
> 
> The mentioning of lookups here might need clarification. When 2.17.0 gets 
> out, people might get afraid, that the lookup problem might have been 
> reintroduced.
> 
> For the sake of completeness: the 2.16.0 announcement also contained:
> 
> "Prior to version 2.15.0, Log4j would automatically resolve Lookups
> contained in the message or its parameters in the Pattern Layout. This
> behavior is no longer the default and must be enabled by specifying
> %msg{lookup}."
> 
> AFAIK that was true for 2.15.0, but no longer for 2.16.0. The announcement 
> for 2.12.2 instead contained the more correct
> 
> "Removed Message Lookups in PatternLayout. "%m{lookup}",
> "%m{nolookup}", and variants will still be accepted as conversion
> patterns, but have no effect."
> 
> Thanks and regards,
> 
> Rainer
> 

Re: Release announcement / download for Log4J 2.12.2

[Matt Sicker]

We made small changes to the 2.12.1 site to include information about
the 2.12.2 patch. The old 2.12.1 download links were left in place,
though it might be confusing. And the 2.12.2 releases are available
here: https://downloads.apache.org/logging/log4j/2.12.2/

On Tue, Dec 14, 2021 at 5:06 PM Rainer Jung  wrote:
>
> Hi there,
>
> I saw the release announcement for 2.12.2 on this dev list (in the
> archive). It contains the following download link:
>
> https://logging.apache.org/log4j/log4j-2.12.2/download.html
>
> What is confusing is, that this URL redirects to
>
> https://logging.apache.org/log4j/log4j-2.12.1/download.html
>
> (2.12.1 instead of 2.12.2 in the URL) but that page then contains the
> text and links for 2.12.2. Users might get confused, whether that's
> right, which is a bit problematic in the context of a security release.
>
> Furthermore lower down on that page, there is still the table of
> download links for version 2.12.1, before the next heading "Previous
> Releases" comes under which there is 2.3.
>
> Probably someone forgot to delete the 2.12.1 table?
>
> On the download page https://logging.apache.org/log4j/2.x/download.html
> for the curent version 2.16.0, under "Previous Releases" still only
> 2.12.1 is mentioned, not 2.12.2 and the page refers to the archive under
> https://archive.apache.org/dist/logging/log4j/ to download previous
> versions. But in the archive 2.12.2 is not yet present.
>
> I know that the last days were hard and very busy, but it might still
> help to do a little cleanup.
>
> Znanks a lot and best regards,
>
> Rainer

Re: Please set tag rel/2.12.2

[Matt Sicker]

That's now been updated. Thanks for the notice!

On Tue, Dec 14, 2021 at 5:21 PM Rainer Jung  wrote:
>
> The tag for rel/2.12.2 is missing. The RC tag log4j-2.12.2-rc1 exists,
> but not the rel tag.
>
> Thanks!
>
> Rainer
>

Re: [VOTE] Release Log4j Kotlin API 1.2.0-rc1

[Raman Gupta]

+1

On Tue, Dec 14, 2021 at 12:38 AM Matt Sicker  wrote:

> This is a vote to release Log4j Kotlin API version 1.2.0, the next version
> of the Kotlin facade for Log4j2.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artifacts
> [] -1, don't release because...
>
> The vote will remain open for 24 hours (or more if required). All votes
> are welcome and we encourage everyone to test the release, but only Logging
> PMC votes are “officially” counted. As always, at least 3 +1 votesand more
> positive than negative votes are required.
>
> Changes in this release include:
>
> * LOG4J2-3218: Update Log4j dependency to 2.16.0.
>
> This is primarily provided to help upgrade transitive dependencies on
> log4j-core which was recently updated to fix CVE-2021-44228.
>
> Tag:
> a)  for a new copy do "git clone
> https://github.com/apache/logging-log4j-kotlin.git <
> https://github.com/apache/logging-log4j-kotlin.git>” and then "git
> checkout tags/log4j-api-kotlin-1.2.0-rc1”  or just "git clone -b
> log4j-api-kotlin-1.2.0-rc1
> https://github.com/apache/logging-log4j-kotlin.git <
> https://github.com/apache/logging-log4j-kotlin.git>"
> b) for an existing working copy to “git pull” and then “git checkout
> tags/log4j-api-kotlin-1.2.0-rc1”
>
> Web Site: https://logging.staged.apache.org/log4j/kotlin/index.html
>
> Maven Artifacts:
> https://repository.apache.org/content/repositories/orgapachelogging-1069/
>
> Distribution archives:
> https://dist.apache.org/repos/dist/dev/logging/log4j/kotlin/
>
> You may download all the Maven artifacts by executing:
> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
> https://repository.apache.org/content/repositories/orgapachelogging-1069/org/apache/logging/log4j/
>
>  --
> Matt Sicker
>
>