You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2019/12/18 22:32:36 UTC

svn commit: r1054230 - /websites/production/logging/content/log4j/log4j-1.2.17/index.html

Author: rgoers
Date: Wed Dec 18 22:32:36 2019
New Revision: 1054230

Log:
Publish security vulnerability and problems on Java 9

Modified:
    websites/production/logging/content/log4j/log4j-1.2.17/index.html

Modified: websites/production/logging/content/log4j/log4j-1.2.17/index.html
==============================================================================
--- websites/production/logging/content/log4j/log4j-1.2.17/index.html (original)
+++ websites/production/logging/content/log4j/log4j-1.2.17/index.html Wed Dec 18 22:32:36 2019
@@ -152,23 +152,12 @@
     <div id="bodyColumn">
       <div id="contentBox">
         <!-- Licensed to the Apache Software Foundation (ASF) under one or more --><!-- contributor license agreements.  See the NOTICE file distributed with --><!-- this work for additional information regarding copyright ownership. --><!-- The ASF licenses this file to You under the Apache License, Version 2.0 --><!-- (the "License"); you may not use this file except in compliance with --><!-- the License.  You may obtain a copy of the License at --><!--  --><!-- http://www.apache.org/licenses/LICENSE-2.0 --><!--  --><!-- Unless required by applicable law or agreed to in writing, software --><!-- distributed under the License is distributed on an "AS IS" BASIS, --><!-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. --><!-- See the License for the specific language governing permissions and --><!-- limitations under the License. -->
-<div align="center">
-<br><br>
-<a href="https://jaxlondon.com/jax-awards/"><img src="images/VoteLog4j2-JAX2016InnovationAward.jpg"></a>
-<p>
-<table border="1" cellspacing="0" align="center" style="width:400px">
-<tr>
-<td align="center">
-Log4j 2 is nominated for the JAX Innovation Awards! <br><br>
-Do you like its performance, garbage-free logging, and easy and flexible configuration?<br><br>
-Log4j 2 needs your love.
-<a href="https://jaxlondon.com/jax-awards/">Vote for Log4j 2!</a><br><br>
-
-</td>
-</tr>
-</table>
-</div>
-          <div class="section"><h2>End of Life</h2><p>On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life. For complete text of the announcement please see the <a href="http://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">Apache Blog</a>. Users of Log4j 1 are recommended to upgrade to <a class="externalLink" href="http://logging.apache.org/log4j/2.x/index.html">Apache Log4j 2</a>.</p>
+          <div class="section">
+              <h2>End of Life</h2><p>On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life. For complete text of the announcement please see the <a href="http://blogs.apache.org/foundation/entry/apache_logging_services_project_announces">Apache Blog</a>. Users of Log4j 1 are recommended to upgrade to <a class="externalLink" href="http://logging.apache.org/log4j/2.x/index.html">Apache Log4j 2</a>.</p>
+              <h2>Security Vulnerabilities</h2>
+                <p>A security vulnerability, <a href="https://www.cvedetails.com/cve/CVE-2019-17571/">CVE-2019-17571</a> has been identified against Log4j 1. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.</p>
+              <h2>Java Version Incompatibilities</h2>
+                <p>The version detection algorithm changed in Java 9 which causes the MDC not to work properly. See <a href="https://blogs.apache.org/logging/entry/moving_on_to_log4j_2">Log4j 1.2 is broken on Java 9</a> for details.</p>
               <h2>Apache log4j&#x2122; 1.2<a name="Apache_log4j_1.2"></a></h2><p>Welcome to Apache log4j, a logging library for Java. Apache log4j is an Apache Software Foundation Project and developed by a dedicated team of Committers of the Apache Software Foundation. For more info, please see <a class="externalLink" href="http://www.apache.org">The Apache Software Foundation</a>. Apache log4j is also part of a project which is known as <a class="externalLink" href="http://logging.apache.org">Apache Logging</a>. Please see the <a href="/license.html">License</a>.</p><p>If you are interested in the recent changes, visit our <a href="/changes-report.html">changes report</a>.</p>
               <div class="section"><h3>Why logging?<a name="Why_logging"></a></h3><p>Inserting log statements into your code is a low-tech method for debugging it. It may also be the only way because debuggers are not always available or applicable. This is often the case for distributed applications.</p><p>On the other hand, some people argue that log statements pollute source code and decrease legibility. (We believe that the contrary is true). In the Java language where a preprocessor is not available, log statements increase the size of the code and reduce its speed, even when logging is turned off. Given that a reasonably sized application may contain thousands of log statements, speed is of particular importance.</p></div>
               <div class="section"><h3>Why log4j?<a name="Why_log4j"></a></h3><p>With log4j it is possible to enable logging at runtime without modifying the application binary. The log4j package is designed so that these statements can remain in shipped code without incurring a heavy performance cost. Logging behavior can be controlled by editing a configuration file, without touching the application binary.</p><p>Logging equips the developer with detailed context for application failures. On the other hand, testing provides quality assurance and confidence in the application. Logging and testing should not be confused. They are complementary. When logging is wisely used, it can prove to be an essential tool.</p><p>One of the distinctive features of log4j is the notion of inheritance in loggers. Using a logger hierarchy it is possible to control which log statements are output at arbitrarily fine granularity but also great ease. This helps to reduce the volume of logged output and 
 the cost of logging.</p><p>The target of the log output can be a file, an OutputStream, a java.io.Writer, a remote log4j server, a remote Unix Syslog daemon, or many other output targets.</p></div>