You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by ma...@apache.org on 2021/12/12 03:50:48 UTC
[logging-log4j-site] branch asf-staging updated: Fix markup typo
This is an automated email from the ASF dual-hosted git repository.
mattsicker pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new b2250dd Fix markup typo
b2250dd is described below
commit b2250dde7a43738b6a30304e5939af8d79876dcb
Author: Matt Sicker <bo...@gmail.com>
AuthorDate: Sat Dec 11 21:50:32 2021 -0600
Fix markup typo
---
log4j-2.15.1/index.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/log4j-2.15.1/index.html b/log4j-2.15.1/index.html
index b69080d..86c5342 100644
--- a/log4j-2.15.1/index.html
+++ b/log4j-2.15.1/index.html
@@ -201,7 +201,7 @@
<p>Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.</p>
<p>One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.</p>
<p>For those who cannot upgrade to 2.15.0, in releases >=2.10, this vulnerability can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nnolookups} instead of just %m. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath:zip [...]
-<p>$h 3Other News</p>
+<h3>Other News</h3>
<p>Log4j 2.15.1 is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter is available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for Apache Commons Logging, SLF4J, and java.util.logging.</p>
<p>Log4j 2.15.1 is the latest release of Log4j. As of Log4j 2.13.0 Log4j 2 requires Java 8 or greater at runtime. This release contains new features and fixes which can be found in the latest <a href="changes-report.html#a2.15.1">changes report</a>.</p>
<p>The only change in Log4j 2.15.1 is:</p>