You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Kevin Kotas (Jira)" <ji...@apache.org> on 2021/12/15 22:25:00 UTC

[jira] [Closed] (LOG4J2-3240) org.apache.logging.log4 does not match archive.apache.org/dist/logging/log4j/

     [ https://issues.apache.org/jira/browse/LOG4J2-3240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Kotas closed LOG4J2-3240.
-------------------------------
    Resolution: Duplicate

 https://issues.apache.org/jira/browse/LOG4J2-3239 

> org.apache.logging.log4 does not match archive.apache.org/dist/logging/log4j/
> -----------------------------------------------------------------------------
>
>                 Key: LOG4J2-3240
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3240
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.16.0
>            Reporter: Kevin Kotas
>            Priority: Major
>              Labels: security
>
> The releases of Log4j 2 from org.apache.logging.log4j do not match the signed releases from [https://archive.apache.org/dist/logging/log4j/.|https://archive.apache.org/dist/logging/log4j/] Please check build process per Matt Sicker.
>  
> At [https://search.maven.org/search?q=a:log4j-core]
> org.apache.logging.log4j --> 2.16.0 -> download jar
>  
> $ sha256sum  log4j-core-2.16.0.jar
> 5d241620b10e3f1475320bc9552cf7bcfa27eeb9b1b6a891449e76db4b4a02a8  log4j-core-2.16.0.jar
>  
> From [https://www.apache.org/dyn/closer.lua/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip]
>  
> $ sha256sum apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
> 085e0b34e40533015ba6a73e85933472702654e471c32f276e76cffcf7b13869  apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
>  
> $ gpg --verify apache-log4j-2.16.0-bin.zip.asc
> gpg: assuming signed data in 'apache-log4j-2.16.0-bin.zip'
> gpg: Signature made Mon 13 Dec 2021 12:40:11 AM EST
> gpg:                using RSA key 9D0A56AAA0D60E0C0C7DCCC0B4C70893B62BABE8
> gpg: Good signature from "Matt Sicker (Apache Software Foundation) <[mattsicker@apache.org|mailto:mattsicker@apache.org]>" [unknown]
> gpg:                 aka "Matthew Sicker (Signing Key) <[mattsicker@apache.org|mailto:mattsicker@apache.org]>" [unknown]
>  
> diff also shows that the MANIFEST.MF Bnd-LastModified field is different in log4j-core-2.16.0.jar between the two sources.
>  
> diff -r 2.16.0-bin/META-INF/MANIFEST.MF log4j-core-2.16.0/META-INF/MANIFEST.MF
> 5c5
> < Bnd-LastModified: 1639373735804
> ---
> > Bnd-LastModified: 1639374077682
>  
> This difference in META-INF/MANIFEST.MF is also in org.apache.logging.log4j:log4j-core: 2.15.0 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)