You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2021/12/14 05:16:33 UTC

[logging-log4j2] branch log4j-2.12 updated: Prepare for release

This is an automated email from the ASF dual-hosted git repository.

rgoers pushed a commit to branch log4j-2.12
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git


The following commit(s) were added to refs/heads/log4j-2.12 by this push:
     new 240b04c  Prepare for release
240b04c is described below

commit 240b04ce459ad92f6c7c45e43e29f4fb17878b3f
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Mon Dec 13 22:14:41 2021 -0700

    Prepare for release
---
 pom.xml                     | 2 +-
 src/changes/announcement.vm | 8 ++------
 src/changes/changes.xml     | 6 ++++++
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/pom.xml b/pom.xml
index 3cd85a8..024db13 100644
--- a/pom.xml
+++ b/pom.xml
@@ -181,7 +181,7 @@
   <properties>
     <!-- make sure to update these for each release! -->
     <log4jParentDir>${basedir}</log4jParentDir>
-    <Log4jReleaseVersion>2.12.1</Log4jReleaseVersion>
+    <Log4jReleaseVersion>2.12.2</Log4jReleaseVersion>
     <Log4jReleaseManager>Ralph Goers</Log4jReleaseManager>
     <Log4jReleaseKey>B3D8E1BA</Log4jReleaseKey>
     <!--<Log4jReleaseManager>Matt Sicker</Log4jReleaseManager> -->
diff --git a/src/changes/announcement.vm b/src/changes/announcement.vm
index 0b25be5..8bd9cdf 100644
--- a/src/changes/announcement.vm
+++ b/src/changes/announcement.vm
@@ -71,12 +71,8 @@ Due to a break in compatibility in the SLF4J binding, Log4j now ships with two v
 log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl should be used with SLF4J 1.8.x and
 later.
 
-This release improves the performance of capturing location information, makes log4j-core optional in the log4j 1.2
-bridge, and explicitly removes LoggerContext references from compoents that keep track of them when the LoggerContext
-is shut down. More details on the new features and fixes are itemized below.
-
-Note that the XML, JSON and YAML formats changed in the 2.11.0 release: they no longer have the "timeMillis" attribute
-and instead have an "Instant" element with "epochSecond" and "nanoOfSecond" attributes.
+This release addresses CVE-2021-44228 for users still using Java 7 by disabling JNDI by default, only allowing the java
+protocol when JNDI is enabled, making the JNDI Lookup inoperable, and removing the message lookup capability.
 
 The Log4j ${relVersion} API, as well as many core components, maintains binary compatibility with previous releases.
 
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 27a664f..ef44922 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -29,6 +29,12 @@
          - "update" - Change
          - "remove" - Removed
     -->
+    <release version="2.12.2" date="2021-12-14" description="GA Release 2.12.2">
+      <action issue="LOG4J-3220" dev="rgoers" type="fix">
+        Disable JNDI by default, remove JNDI Lookup, Remove Message Lookups. When enabled JNDI only supports the
+        java protocol.
+      </action>
+    </release>
     <release version="2.12.1" date="2019-08-06" description="GA Release 2.12.1">
       <action issue="LOG4J2-1946" dev="rgoers" type="fix" due-to="Igor Perelyotov">
         Allow file renames to work when files are missing from the sequence.