You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@logging.apache.org by rp...@apache.org on 2021/12/14 15:03:58 UTC

[logging-log4j2] branch release-2.x updated: [DOC] Add Work In Progress notice and credit Kai Mindermann

This is an automated email from the ASF dual-hosted git repository.

rpopma pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git


The following commit(s) were added to refs/heads/release-2.x by this push:
     new f719cbe  [DOC] Add Work In Progress notice and credit Kai Mindermann
f719cbe is described below

commit f719cbef14155edf426dd1e32b8ad95134db2bde
Author: rpopma <rp...@apache.org>
AuthorDate: Wed Dec 15 00:03:48 2021 +0900

    [DOC] Add Work In Progress notice and credit Kai Mindermann
---
 src/site/markdown/security.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index 96cba98..6853151 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -113,9 +113,14 @@ Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in confi
 Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap
 protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed.
 
+#### Work in progress
+The Log4j team will continue to actively update this page as more information becomes known.
+
 #### Credit 
 This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.
 
+The ThreadContext attack vector was first discovered by Kai Mindermann of iC Consult.
+
 #### References
 [https://issues.apache.org/jira/browse/LOG4J2-3201](https://issues.apache.org/jira/browse/LOG4J2-3201)
 and [https://issues.apache.org/jira/browse/LOG4J2-3198](https://issues.apache.org/jira/browse/LOG4J2-3198).