You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Kevin Kotas (Jira)" <ji...@apache.org> on 2021/12/15 22:25:00 UTC
[jira] [Closed] (LOG4J2-3240) org.apache.logging.log4 does not match archive.apache.org/dist/logging/log4j/
[ https://issues.apache.org/jira/browse/LOG4J2-3240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Kotas closed LOG4J2-3240.
-------------------------------
Resolution: Duplicate
https://issues.apache.org/jira/browse/LOG4J2-3239
> org.apache.logging.log4 does not match archive.apache.org/dist/logging/log4j/
> -----------------------------------------------------------------------------
>
> Key: LOG4J2-3240
> URL: https://issues.apache.org/jira/browse/LOG4J2-3240
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.16.0
> Reporter: Kevin Kotas
> Priority: Major
> Labels: security
>
> The releases of Log4j 2 from org.apache.logging.log4j do not match the signed releases from [https://archive.apache.org/dist/logging/log4j/.|https://archive.apache.org/dist/logging/log4j/] Please check build process per Matt Sicker.
>
> At [https://search.maven.org/search?q=a:log4j-core]
> org.apache.logging.log4j --> 2.16.0 -> download jar
>
> $ sha256sum log4j-core-2.16.0.jar
> 5d241620b10e3f1475320bc9552cf7bcfa27eeb9b1b6a891449e76db4b4a02a8 log4j-core-2.16.0.jar
>
> From [https://www.apache.org/dyn/closer.lua/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip]
>
> $ sha256sum apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
> 085e0b34e40533015ba6a73e85933472702654e471c32f276e76cffcf7b13869 apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
>
> $ gpg --verify apache-log4j-2.16.0-bin.zip.asc
> gpg: assuming signed data in 'apache-log4j-2.16.0-bin.zip'
> gpg: Signature made Mon 13 Dec 2021 12:40:11 AM EST
> gpg: using RSA key 9D0A56AAA0D60E0C0C7DCCC0B4C70893B62BABE8
> gpg: Good signature from "Matt Sicker (Apache Software Foundation) <[mattsicker@apache.org|mailto:mattsicker@apache.org]>" [unknown]
> gpg: aka "Matthew Sicker (Signing Key) <[mattsicker@apache.org|mailto:mattsicker@apache.org]>" [unknown]
>
> diff also shows that the MANIFEST.MF Bnd-LastModified field is different in log4j-core-2.16.0.jar between the two sources.
>
> diff -r 2.16.0-bin/META-INF/MANIFEST.MF log4j-core-2.16.0/META-INF/MANIFEST.MF
> 5c5
> < Bnd-LastModified: 1639373735804
> ---
> > Bnd-LastModified: 1639374077682
>
> This difference in META-INF/MANIFEST.MF is also in org.apache.logging.log4j:log4j-core: 2.15.0
--
This message was sent by Atlassian Jira
(v8.20.1#820001)