You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@logging.apache.org by gg...@apache.org on 2021/12/22 17:24:28 UTC

[logging-log4j2] branch release-2.x updated: Fix version and Java references meant to 2.12.3.

This is an automated email from the ASF dual-hosted git repository.

ggregory pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git


The following commit(s) were added to refs/heads/release-2.x by this push:
     new fc64eaf  Fix version and Java references meant to 2.12.3.
fc64eaf is described below

commit fc64eafcede1fef9483006c36e58c5df1d6a758b
Author: Gary Gregory <ga...@gmail.com>
AuthorDate: Wed Dec 22 12:24:21 2021 -0500

    Fix version and Java references meant to 2.12.3.
---
 src/site/markdown/security.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index e201710..54168d1 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -78,7 +78,7 @@ Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8
 Alternatively, this infinite recursion issue can be mitigated in configuration:
 
 * In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC).
-* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate 
+* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate
 from sources external to the application such as HTTP headers or user input.
 
 Note that only the log4j-core JAR file is impacted by this vulnerability.
@@ -317,7 +317,7 @@ This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.
 - [https://issues.apache.org/jira/browse/LOG4J2-3201](https://issues.apache.org/jira/browse/LOG4J2-3201)
 - [https://issues.apache.org/jira/browse/LOG4J2-3198](https://issues.apache.org/jira/browse/LOG4J2-3198).
 
-## <a name="log4j-2.13.2"/> Fixed in Log4j 2.13.2 (Java 8)
+## <a name="log4j-2.12.3"/> Fixed in Log4j 2.12.3 (Java 7)
 <a name="CVE-2020-9488"/><a name="cve-2020-9488"/>
 [CVE-2020-9488](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488):  Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.