You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2021/12/14 20:52:18 UTC
[logging-log4j-site] branch asf-staging updated: Remove future wording
This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new a1e0183 Remove future wording
a1e0183 is described below
commit a1e0183c1f9f2b4b183f79815c12d73d82ce0b3b
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Tue Dec 14 13:52:08 2021 -0700
Remove future wording
---
log4j-2.16.0/index.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/log4j-2.16.0/index.html b/log4j-2.16.0/index.html
index cd69186..1bed338 100644
--- a/log4j-2.16.0/index.html
+++ b/log4j-2.16.0/index.html
@@ -168,7 +168,7 @@
<p>Note that previous mitigations involving configuration such as setting the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.</p></section><section>
<h4><a name="Mitigation"></a>Mitigation</h4>
<p>In version 2.12.2 Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed.</p></section><section>
-<p>In version 2.16.0 Log4j disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed. The ldap and ldaps protocols will be removed in the next release. The message lookups feature has been completely removed.</p></section><section>
+<p>In version 2.16.0 Log4j disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed. The message lookups feature has been completely removed.</p></section><section>
<h4><a name="Reference"></a>Reference</h4>
<p>Please refer to the <a href="security.html#CVE-2021-45046">Security page</a> for details and mitigation measures for older versions of Log4j.</p>
<p><a name="CVE-2021-44228"></a></p></section></section></section><section>