You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@logging.apache.org by Ralph Goers <ra...@dslextreme.com> on 2021/12/18 03:18:43 UTC
[VOTE] Release Apache Log4j 2.17.0-rc1
This is a vote to release Log4j 2.17.0, the next version of the Log4j 2 project.
Please download, test, and cast your votes on the log4j developers list.
[] +1, release the artifacts
[] -1, don't release because...
The vote will remain open for as short amount as time as required to vet the release. All votes are welcome and we encourage everyone to test the release, but only Logging PMC votes are “officially” counted. As always, at least 3 +1 votes and more positive than negative votes are required.
Note that a pre-release version of this was distributed to all reporters of the issue covered by CVE-2021-45105 and all who tested confirmed the issue was addressed.
Changes in this version include:
Fixed Bugs
• LOG4J2-3230: Fix string substitution recursion.
• LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'.
• LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. The enablement property has been renamed to 'log4j2.enableJndiJava'
• LOG4J2-3241: Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin.
• LOG4J2-3247: PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters.
• LOG4J2-3249: Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514.
• LOG4J2-3237: Log4j 1.2 bridge API hard codes the Syslog protocol to TCP.
Tag:
a) for a new copy do "git clone https://github.com/apache/logging-log4j2.git and then "git checkout tags/log4j-2.17.0-rc1” or just "git clone -b log4j-2.17.0-rc1 https://github.com/apache/logging-log4j2.git"
b) for an existing working copy to “git pull” and then “git checkout tags/log4j-2.17.0-rc1”
Web Site: https://logging.staged.apache.org/log4j/2.x/index.html
Maven Artifacts: https://repository.apache.org/content/repositories/orgapachelogging-1071
Distribution archives: https://dist.apache.org/repos/dist/dev/logging/log4j/
You may download all the Maven artifacts by executing:
wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate https://repository.apache.org/content/repositories/orgapachelogging-1071/org/apache/logging/log4j/
Ralph
Re: [VOTE] Release Apache Log4j 2.17.0-rc1
Posted by Gary Gregory <ga...@gmail.com>.
+1
Building from the git tag (tags/log4j-2.17.0-rc1 a19ef9bce) OK; running:
- mvn clean install
- mvn site -DskipTests
- mvn apache-rat:check -DskipTests
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-bre_2021_10_20_23_15-b00)
OpenJDK 64-Bit Server VM (build 25.312-b00, mixed mode)
Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
Maven home: /usr/local/Cellar/maven/3.8.4/libexec
Java version: 1.8.0_312, vendor: Homebrew, runtime:
/usr/local/Cellar/openjdk@8/1.8.0+312/libexec/openjdk.jdk/Contents/Home/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "12.1", arch: "x86_64", family: "mac"
Darwin *** 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54
PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 x86_64
Gary
On Fri, Dec 17, 2021 at 10:18 PM Ralph Goers <ra...@dslextreme.com> wrote:
>
> This is a vote to release Log4j 2.17.0, the next version of the Log4j 2 project.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artifacts
> [] -1, don't release because...
>
> The vote will remain open for as short amount as time as required to vet the release. All votes are welcome and we encourage everyone to test the release, but only Logging PMC votes are “officially” counted. As always, at least 3 +1 votes and more positive than negative votes are required.
>
> Note that a pre-release version of this was distributed to all reporters of the issue covered by CVE-2021-45105 and all who tested confirmed the issue was addressed.
>
> Changes in this version include:
>
> Fixed Bugs
>
> • LOG4J2-3230: Fix string substitution recursion.
> • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'.
> • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. The enablement property has been renamed to 'log4j2.enableJndiJava'
> • LOG4J2-3241: Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin.
> • LOG4J2-3247: PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters.
> • LOG4J2-3249: Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514.
> • LOG4J2-3237: Log4j 1.2 bridge API hard codes the Syslog protocol to TCP.
>
> Tag:
> a) for a new copy do "git clone https://github.com/apache/logging-log4j2.git and then "git checkout tags/log4j-2.17.0-rc1” or just "git clone -b log4j-2.17.0-rc1 https://github.com/apache/logging-log4j2.git"
> b) for an existing working copy to “git pull” and then “git checkout tags/log4j-2.17.0-rc1”
>
> Web Site: https://logging.staged.apache.org/log4j/2.x/index.html
>
> Maven Artifacts: https://repository.apache.org/content/repositories/orgapachelogging-1071
>
> Distribution archives: https://dist.apache.org/repos/dist/dev/logging/log4j/
>
> You may download all the Maven artifacts by executing:
> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate https://repository.apache.org/content/repositories/orgapachelogging-1071/org/apache/logging/log4j/
>
> Ralph
Re: [VOTE] Release Apache Log4j 2.17.0-rc1
Posted by Carter Kozak <ck...@ckozak.net>.
+1
build + rat are good
-ck
On Fri, Dec 17, 2021, at 22:18, Ralph Goers wrote:
> This is a vote to release Log4j 2.17.0, the next version of the Log4j 2 project.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artifacts
> [] -1, don't release because...
>
> The vote will remain open for as short amount as time as required to vet the release. All votes are welcome and we encourage everyone to test the release, but only Logging PMC votes are “officially” counted. As always, at least 3 +1 votes and more positive than negative votes are required.
>
> Note that a pre-release version of this was distributed to all reporters of the issue covered by CVE-2021-45105 and all who tested confirmed the issue was addressed.
>
> Changes in this version include:
>
> Fixed Bugs
>
> • LOG4J2-3230: Fix string substitution recursion.
> • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'.
> • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. The enablement property has been renamed to 'log4j2.enableJndiJava'
> • LOG4J2-3241: Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin.
> • LOG4J2-3247: PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters.
> • LOG4J2-3249: Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514.
> • LOG4J2-3237: Log4j 1.2 bridge API hard codes the Syslog protocol to TCP.
>
> Tag:
> a) for a new copy do "git clone https://github.com/apache/logging-log4j2.git and then "git checkout tags/log4j-2.17.0-rc1” or just "git clone -b log4j-2.17.0-rc1 https://github.com/apache/logging-log4j2.git"
> b) for an existing working copy to “git pull” and then “git checkout tags/log4j-2.17.0-rc1”
>
> Web Site: https://logging.staged.apache.org/log4j/2.x/index.html
>
> Maven Artifacts: https://repository.apache.org/content/repositories/orgapachelogging-1071
>
> Distribution archives: https://dist.apache.org/repos/dist/dev/logging/log4j/
>
> You may download all the Maven artifacts by executing:
> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate https://repository.apache.org/content/repositories/orgapachelogging-1071/org/apache/logging/log4j/
>
> Ralph
Re: [VOTE] Release Apache Log4j 2.17.0-rc1
Posted by Remko Popma <re...@gmail.com>.
+1
GNU signatures check ok.
Build passed with
maven clean install
Apache Maven 3.6.2 (40f52333136460af0dc0d7232c0dc0bcf0d9e117;
2019-08-28T00:06:16+09:00)
Maven home: C:\apps\apache-maven-3.6.2\bin\..
Java version: 1.8.0_202, vendor: Oracle Corporation, runtime:
C:\apps\jdk1.8.0_202\jre
Default locale: en_GB, platform encoding: MS932
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
About the signatures:
I only see asc file, md5 and sha1 files; I was able to verify the GPG sigs
(asc), but not the md5 or sha1 files:
find . -type f -name *.sha1 -exec sha1sum -c {} \;
find . -type f -name *.md5 -exec md5sum -c {} \;
Both these commands give errors like "no properly formatted SHA1 checksum
lines found"... so not good.
But as per Apache guidelines we should not use md5 or sha1, so ignoring
that for now.
I cannot find any sha512 signatures anywhere though...
On Sat, Dec 18, 2021 at 1:16 PM Ron Grabowski
<ro...@yahoo.com.invalid> wrote:
> +1
>
> mvn clean install
> mvn apache-rat:check
>
> Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
> Maven home: C:\projects\apache-maven-3.8.4
> Java version: 1.8.0_181, vendor: Oracle Corporation, runtime: C:\Program
> Files\Java\jdk1.8.0_181\jre
> Default locale: en_US, platform encoding: Cp1252
> OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
>
> On 12/17/2021 10:18 PM, Ralph Goers wrote:
> > This is a vote to release Log4j 2.17.0, the next version of the Log4j 2
> project.
> >
> > Please download, test, and cast your votes on the log4j developers list.
> > [] +1, release the artifacts
> > [] -1, don't release because...
> >
> > The vote will remain open for as short amount as time as required to vet
> the release. All votes are welcome and we encourage everyone to test the
> release, but only Logging PMC votes are “officially” counted. As always, at
> least 3 +1 votes and more positive than negative votes are required.
> >
> > Note that a pre-release version of this was distributed to all reporters
> of the issue covered by CVE-2021-45105 and all who tested confirmed the
> issue was addressed.
> >
> > Changes in this version include:
> >
> > Fixed Bugs
> >
> > • LOG4J2-3230: Fix string substitution recursion.
> > • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will
> remain disabled by default. Rename JNDI enablement property from
> 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms',
> and 'log4j2.enableJndiContextSelector'.
> > • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will
> remain disabled by default. The enablement property has been renamed to
> 'log4j2.enableJndiJava'
> > • LOG4J2-3241: Do not declare log4j-api-java9 and log4j-core-java9
> as dependencies as it causes problems with the Maven enforcer plugin.
> > • LOG4J2-3247: PropertiesConfiguration.parseAppenderFilters NPE
> when parsing properties file filters.
> > • LOG4J2-3249: Log4j 1.2 bridge for Syslog Appender defaults to
> port 512 instead of 514.
> > • LOG4J2-3237: Log4j 1.2 bridge API hard codes the Syslog protocol
> to TCP.
> >
> > Tag:
> > a) for a new copy do "git clone
> https://github.com/apache/logging-log4j2.git and then "git checkout
> tags/log4j-2.17.0-rc1” or just "git clone -b log4j-2.17.0-rc1
> https://github.com/apache/logging-log4j2.git"
> > b) for an existing working copy to “git pull” and then “git checkout
> tags/log4j-2.17.0-rc1”
> >
> > Web Site: https://logging.staged.apache.org/log4j/2.x/index.html
> >
> > Maven Artifacts:
> https://repository.apache.org/content/repositories/orgapachelogging-1071
> >
> > Distribution archives:
> https://dist.apache.org/repos/dist/dev/logging/log4j/
> >
> > You may download all the Maven artifacts by executing:
> > wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate
> https://repository.apache.org/content/repositories/orgapachelogging-1071/org/apache/logging/log4j/
> >
> > Ralph
>
Re: [VOTE] Release Apache Log4j 2.17.0-rc1
Posted by Ron Grabowski <ro...@yahoo.com.INVALID>.
+1
mvn clean install
mvn apache-rat:check
Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
Maven home: C:\projects\apache-maven-3.8.4
Java version: 1.8.0_181, vendor: Oracle Corporation, runtime: C:\Program Files\Java\jdk1.8.0_181\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
On 12/17/2021 10:18 PM, Ralph Goers wrote:
> This is a vote to release Log4j 2.17.0, the next version of the Log4j 2 project.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artifacts
> [] -1, don't release because...
>
> The vote will remain open for as short amount as time as required to vet the release. All votes are welcome and we encourage everyone to test the release, but only Logging PMC votes are “officially” counted. As always, at least 3 +1 votes and more positive than negative votes are required.
>
> Note that a pre-release version of this was distributed to all reporters of the issue covered by CVE-2021-45105 and all who tested confirmed the issue was addressed.
>
> Changes in this version include:
>
> Fixed Bugs
>
> • LOG4J2-3230: Fix string substitution recursion.
> • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'.
> • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. The enablement property has been renamed to 'log4j2.enableJndiJava'
> • LOG4J2-3241: Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin.
> • LOG4J2-3247: PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters.
> • LOG4J2-3249: Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514.
> • LOG4J2-3237: Log4j 1.2 bridge API hard codes the Syslog protocol to TCP.
>
> Tag:
> a) for a new copy do "git clone https://github.com/apache/logging-log4j2.git and then "git checkout tags/log4j-2.17.0-rc1” or just "git clone -b log4j-2.17.0-rc1 https://github.com/apache/logging-log4j2.git"
> b) for an existing working copy to “git pull” and then “git checkout tags/log4j-2.17.0-rc1”
>
> Web Site: https://logging.staged.apache.org/log4j/2.x/index.html
>
> Maven Artifacts: https://repository.apache.org/content/repositories/orgapachelogging-1071
>
> Distribution archives: https://dist.apache.org/repos/dist/dev/logging/log4j/
>
> You may download all the Maven artifacts by executing:
> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate https://repository.apache.org/content/repositories/orgapachelogging-1071/org/apache/logging/log4j/
>
> Ralph
Re: [VOTE] Release Apache Log4j 2.17.0-rc1
Posted by Ralph Goers <ra...@dslextreme.com>.
My +1
Ralph
> On Dec 17, 2021, at 8:18 PM, Ralph Goers <ra...@dslextreme.com> wrote:
>
> This is a vote to release Log4j 2.17.0, the next version of the Log4j 2 project.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artifacts
> [] -1, don't release because...
>
> The vote will remain open for as short amount as time as required to vet the release. All votes are welcome and we encourage everyone to test the release, but only Logging PMC votes are “officially” counted. As always, at least 3 +1 votes and more positive than negative votes are required.
>
> Note that a pre-release version of this was distributed to all reporters of the issue covered by CVE-2021-45105 and all who tested confirmed the issue was addressed.
>
> Changes in this version include:
>
> Fixed Bugs
>
> • LOG4J2-3230: Fix string substitution recursion.
> • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'.
> • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. The enablement property has been renamed to 'log4j2.enableJndiJava'
> • LOG4J2-3241: Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin.
> • LOG4J2-3247: PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters.
> • LOG4J2-3249: Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514.
> • LOG4J2-3237: Log4j 1.2 bridge API hard codes the Syslog protocol to TCP.
>
> Tag:
> a) for a new copy do "git clone https://github.com/apache/logging-log4j2.git and then "git checkout tags/log4j-2.17.0-rc1” or just "git clone -b log4j-2.17.0-rc1 https://github.com/apache/logging-log4j2.git"
> b) for an existing working copy to “git pull” and then “git checkout tags/log4j-2.17.0-rc1”
>
> Web Site: https://logging.staged.apache.org/log4j/2.x/index.html
>
> Maven Artifacts: https://repository.apache.org/content/repositories/orgapachelogging-1071
>
> Distribution archives: https://dist.apache.org/repos/dist/dev/logging/log4j/
>
> You may download all the Maven artifacts by executing:
> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate https://repository.apache.org/content/repositories/orgapachelogging-1071/org/apache/logging/log4j/
>
> Ralph
Re: [VOTE] Release Apache Log4j 2.17.0-rc1
Posted by Matt Sicker <bo...@gmail.com>.
+1
Checked build, tests, sigs, site, etc.
--
Matt Sicker
> On Dec 17, 2021, at 21:18, Ralph Goers <ra...@dslextreme.com> wrote:
>
> This is a vote to release Log4j 2.17.0, the next version of the Log4j 2 project.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artifacts
> [] -1, don't release because...
>
> The vote will remain open for as short amount as time as required to vet the release. All votes are welcome and we encourage everyone to test the release, but only Logging PMC votes are “officially” counted. As always, at least 3 +1 votes and more positive than negative votes are required.
>
> Note that a pre-release version of this was distributed to all reporters of the issue covered by CVE-2021-45105 and all who tested confirmed the issue was addressed.
>
> Changes in this version include:
>
> Fixed Bugs
>
> • LOG4J2-3230: Fix string substitution recursion.
> • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'.
> • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. The enablement property has been renamed to 'log4j2.enableJndiJava'
> • LOG4J2-3241: Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin.
> • LOG4J2-3247: PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters.
> • LOG4J2-3249: Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514.
> • LOG4J2-3237: Log4j 1.2 bridge API hard codes the Syslog protocol to TCP.
>
> Tag:
> a) for a new copy do "git clone https://github.com/apache/logging-log4j2.git and then "git checkout tags/log4j-2.17.0-rc1” or just "git clone -b log4j-2.17.0-rc1 https://github.com/apache/logging-log4j2.git"
> b) for an existing working copy to “git pull” and then “git checkout tags/log4j-2.17.0-rc1”
>
> Web Site: https://logging.staged.apache.org/log4j/2.x/index.html
>
> Maven Artifacts: https://repository.apache.org/content/repositories/orgapachelogging-1071
>
> Distribution archives: https://dist.apache.org/repos/dist/dev/logging/log4j/
>
> You may download all the Maven artifacts by executing:
> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate https://repository.apache.org/content/repositories/orgapachelogging-1071/org/apache/logging/log4j/
>
> Ralph