You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2021/12/14 05:16:33 UTC
[logging-log4j2] branch log4j-2.12 updated: Prepare for release
This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch log4j-2.12
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/log4j-2.12 by this push:
new 240b04c Prepare for release
240b04c is described below
commit 240b04ce459ad92f6c7c45e43e29f4fb17878b3f
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Mon Dec 13 22:14:41 2021 -0700
Prepare for release
---
pom.xml | 2 +-
src/changes/announcement.vm | 8 ++------
src/changes/changes.xml | 6 ++++++
3 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/pom.xml b/pom.xml
index 3cd85a8..024db13 100644
--- a/pom.xml
+++ b/pom.xml
@@ -181,7 +181,7 @@
<properties>
<!-- make sure to update these for each release! -->
<log4jParentDir>${basedir}</log4jParentDir>
- <Log4jReleaseVersion>2.12.1</Log4jReleaseVersion>
+ <Log4jReleaseVersion>2.12.2</Log4jReleaseVersion>
<Log4jReleaseManager>Ralph Goers</Log4jReleaseManager>
<Log4jReleaseKey>B3D8E1BA</Log4jReleaseKey>
<!--<Log4jReleaseManager>Matt Sicker</Log4jReleaseManager> -->
diff --git a/src/changes/announcement.vm b/src/changes/announcement.vm
index 0b25be5..8bd9cdf 100644
--- a/src/changes/announcement.vm
+++ b/src/changes/announcement.vm
@@ -71,12 +71,8 @@ Due to a break in compatibility in the SLF4J binding, Log4j now ships with two v
log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl should be used with SLF4J 1.8.x and
later.
-This release improves the performance of capturing location information, makes log4j-core optional in the log4j 1.2
-bridge, and explicitly removes LoggerContext references from compoents that keep track of them when the LoggerContext
-is shut down. More details on the new features and fixes are itemized below.
-
-Note that the XML, JSON and YAML formats changed in the 2.11.0 release: they no longer have the "timeMillis" attribute
-and instead have an "Instant" element with "epochSecond" and "nanoOfSecond" attributes.
+This release addresses CVE-2021-44228 for users still using Java 7 by disabling JNDI by default, only allowing the java
+protocol when JNDI is enabled, making the JNDI Lookup inoperable, and removing the message lookup capability.
The Log4j ${relVersion} API, as well as many core components, maintains binary compatibility with previous releases.
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 27a664f..ef44922 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -29,6 +29,12 @@
- "update" - Change
- "remove" - Removed
-->
+ <release version="2.12.2" date="2021-12-14" description="GA Release 2.12.2">
+ <action issue="LOG4J-3220" dev="rgoers" type="fix">
+ Disable JNDI by default, remove JNDI Lookup, Remove Message Lookups. When enabled JNDI only supports the
+ java protocol.
+ </action>
+ </release>
<release version="2.12.1" date="2019-08-06" description="GA Release 2.12.1">
<action issue="LOG4J2-1946" dev="rgoers" type="fix" due-to="Igor Perelyotov">
Allow file renames to work when files are missing from the sequence.