You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by vy...@apache.org on 2022/01/27 08:31:39 UTC
[logging-log4j2] branch master updated (2574534 -> 97e9c5a)
This is an automated email from the ASF dual-hosted git repository.
vy pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git.
from 2574534 Use a default goal: clean verify
new 80a619b LOG4J2-3356 Fix maven-bundle-plugin configuration of JSON Template Layout.
new 9588d88 Align GitHub Actions workflow with the one in release-2.x.
new 97e9c5a Add mention of "CVE creation process" to the security page.
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.github/workflows/build.yml | 54 +++++++++++++++++++++++++++
.github/workflows/main.yml | 75 --------------------------------------
log4j-layout-template-json/pom.xml | 5 ++-
src/site/asciidoc/security.adoc | 35 ++++++++++++------
4 files changed, 81 insertions(+), 88 deletions(-)
create mode 100644 .github/workflows/build.yml
delete mode 100644 .github/workflows/main.yml
[logging-log4j2] 02/03: Align GitHub Actions workflow with the one in release-2.x.
Posted by vy...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 9588d88980b7e837a2a4d2d11ea8c0e8a5a1ce82
Author: Volkan Yazici <vo...@yazi.ci>
AuthorDate: Fri Jan 21 16:33:42 2022 +0100
Align GitHub Actions workflow with the one in release-2.x.
---
.github/workflows/build.yml | 54 ++++++++++++++++++++++++++++++++
.github/workflows/main.yml | 75 ---------------------------------------------
2 files changed, 54 insertions(+), 75 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..3c003f3
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,54 @@
+name: build
+
+on:
+ push:
+ branches:
+ - master
+ - release-2.x
+ pull_request:
+
+jobs:
+ build:
+
+ runs-on: ${{ matrix.os }}
+
+ strategy:
+ matrix:
+ os: [ ubuntu-latest, windows-latest, macos-latest ]
+
+ steps:
+
+ - name: Checkout repository
+ uses: actions/checkout@v2
+
+ - name: Setup JDK 11
+ uses: actions/setup-java@v2.4.0
+ with:
+ distribution: 'temurin'
+ java-version: 11
+ java-package: jdk
+ architecture: x64
+ cache: 'maven'
+
+ - name: Inspect environment (Linux)
+ if: runner.os == 'Linux'
+ run: env | grep '^JAVA'
+
+ - name: Inspect environment (Windows)
+ if: runner.os == 'Windows'
+ run: set java
+
+ - name: Inspect environment (MacOS)
+ if: runner.os == 'macOS'
+ run: env | grep '^JAVA'
+
+ - name: Build with Maven
+ timeout-minutes: 60
+ shell: bash
+ run: |
+ ./mvnw \
+ --show-version --batch-mode --errors --no-transfer-progress \
+ -DtrimStackTrace=false \
+ -Dsurefire.rerunFailingTestsCount=2 \
+ -Dlog4j2.junit.fileCleanerSleepPeriodMillis=1000 \
+ --global-toolchains ".github/workflows/maven-toolchains.xml"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
deleted file mode 100644
index c5ffc27..0000000
--- a/.github/workflows/main.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-name: CI
-
-on: [push, pull_request]
-
-jobs:
- build:
-
- runs-on: ${{ matrix.os }}
-
- strategy:
- matrix:
- os: [ubuntu-latest, windows-latest, macos-latest]
-
- steps:
-
- - name: Checkout repository
- uses: actions/checkout@v2
-
- - name: Setup JDK 11
- uses: actions/setup-java@v2.4.0
- with:
- distribution: 'temurin'
- java-version: 11
- java-package: jdk
- architecture: x64
- cache: 'maven'
-
- - name: Inspect environment (Linux)
- if: runner.os == 'Linux'
- run: env | grep '^JAVA'
-
- - name: Build with Maven (Linux)
- timeout-minutes: 60
- if: runner.os == 'Linux'
- continue-on-error: true
- run: ./mvnw -V -B --no-transfer-progress -e -DtrimStackTrace=false -Dmaven.test.failure.ignore=true -Dsurefire.rerunFailingTestsCount=1
-
- - name: Inspect environment (Windows)
- if: runner.os == 'Windows'
- run: set java
-
- - name: Build with Maven (Windows)
- timeout-minutes: 60
- if: runner.os == 'Windows'
- continue-on-error: true
- run: ./mvnw -V -B --no-transfer-progress -e "-DtrimStackTrace=false" "-Dmaven.test.failure.ignore=true" "-Dsurefire.rerunFailingTestsCount=1" "-Dlog4j2.junit.fileCleanerSleepPeriodMillis=1000"
-
- - name: Inspect environment (MacOS)
- if: runner.os == 'macOS'
- run: env | grep '^JAVA'
-
- - name: Build with Maven (MacOS)
- timeout-minutes: 60
- if: runner.os == 'macOS'
- continue-on-error: true
- run: ./mvnw -V -B --no-transfer-progress -e -DtrimStackTrace=false -Dmaven.test.failure.ignore=true -Dsurefire.rerunFailingTestsCount=1
-
- - name: Publish Test Results
- # If the CI run is not initiated from the primary repository, it is highly likely that this is a PR from a user who doesn't have commit rights.
- # Hence, skip this step to avoid permission failures.
- if: github.repository == 'apache/logging-log4j2'
- uses: scacap/action-surefire-report@v1
- with:
- github_token: ${{ secrets.GITHUB_TOKEN }}
- check_name: Test Report (${{ matrix.os }})
- report_paths: '**/*-reports/TEST-*.xml'
-
- - name: Upload Test Reports
- # If the CI run is not initiated from the primary repository, it is highly likely that this is a PR from a user who doesn't have commit rights.
- # Hence, skip this step to avoid permission failures.
- if: github.repository == 'apache/logging-log4j2'
- uses: actions/upload-artifact@v2
- with:
- name: test-reports-${{ matrix.os }}
- path: '**/*-reports'
[logging-log4j2] 03/03: Add mention of "CVE creation process" to the security page.
Posted by vy...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 97e9c5a0afb25359c2bf8652b9556260184e16f0
Author: Volkan Yazıcı <vo...@yazi.ci>
AuthorDate: Thu Jan 27 09:31:08 2022 +0100
Add mention of "CVE creation process" to the security page.
---
src/site/asciidoc/security.adoc | 35 ++++++++++++++++++++++++-----------
1 file changed, 24 insertions(+), 11 deletions(-)
diff --git a/src/site/asciidoc/security.adoc b/src/site/asciidoc/security.adoc
index cb4ec2c..ab9a90e 100644
--- a/src/site/asciidoc/security.adoc
+++ b/src/site/asciidoc/security.adoc
@@ -15,7 +15,7 @@
limitations under the License.
////
-# Apache Log4j Security Vulnerabilities
+= Apache Log4j Security Vulnerabilities
This page lists all the security vulnerabilities fixed in released versions of Apache Log4j 2.
Each vulnerability is given a link:#Security_Impact_Levels[security impact rating]
@@ -44,7 +44,8 @@ If you have encountered an unlisted security vulnerability or other unexpected b
that has security impact, or if the descriptions here are incomplete, please report them
privately to the mailto:private@logging.apache.org[Log4j Security Team]. Thank you.
-### Fixed in Log4j 2.15.0
+[#log4j-2-15-0]
+=== Fixed in Log4j 2.15.0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228[CVE-2021-4422]: Apache Log4j2 JNDI
features do not protect against attacker controlled LDAP and other JNDI related endpoints.
@@ -72,7 +73,8 @@ Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team
References: https://issues.apache.org/jira/browse/LOG4J2-3201[https://issues.apache.org/jira/browse/LOG4J2-3201]
and https://issues.apache.org/jira/browse/LOG4J2-3198[https://issues.apache.org/jira/browse/LOG4J2-3198].
-### Fixed in Log4j 2.13.2
+[#log4j-2-13-2]
+=== Fixed in Log4j 2.13.2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488[CVE-2020-9488]:
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.
@@ -103,7 +105,8 @@ Credit: This issues was discovered by Peter Stöckli.
References: https://issues.apache.org/jira/browse/LOG4J2-2819
-### Fixed in Log4j 2.8.2
+[#log4j-2-8-2]
+=== Fixed in Log4j 2.8.2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645[CVE-2017-5645]: Apache Log4j socket
receiver deserialization vulnerability.
@@ -129,8 +132,8 @@ at Telstra
References: <https://issues.apache.org/jira/browse/LOG4J2-1863>
-[#Security_Impact_Levels]
-## Summary of security impact levels for Apache Log4j
+[#impact-levels]
+== Summary of security impact levels for Apache Log4j
The Apache Log4j Security Team rates the impact of each security flaw that affects Log4j.
We've chosen a rating scale quite similar to those used by other major vendors in order to
be consistent. Basically the goal of the rating system is to answer the question "How worried
@@ -142,24 +145,34 @@ need to read the security advisories to find out more about the flaw.
We use the following descriptions to decide on the impact rating to give each vulnerability:
-### Critical
+[#impact-levels-critical]
+=== Critical
A vulnerability rated with a Critical impact is one which could potentially be exploited by
a remote attacker to get Log4j to execute arbitrary code (either as the user the server is
running as, or root). These are the sorts of vulnerabilities that could be exploited automatically
by worms.
-### Important
+[#impact-levels-important]
+=== Important
A vulnerability rated as Important impact is one which could result in the compromise of data
or availability of the server. For Log4j this includes issues that allow an easy remote denial
of service (something that is out of proportion to the attack or with a lasting consequence),
access to arbitrary files outside of the context root, or access to files that should be otherwise
prevented by limits or authentication.
-### Moderate
+[#impact-levels-moderate]
+=== Moderate
A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the
issue less of an impact. This might be because the flaw does not affect likely configurations, or
it is a configuration that isn't widely used.
-### Low
+[#impact-levels-low]
+=== Low
All other security flaws are classed as a Low impact. This rating is used for issues that are believed
-to be extremely hard to exploit, or where an exploit gives minimal consequences.
\ No newline at end of file
+to be extremely hard to exploit, or where an exploit gives minimal consequences.
+
+[#cve-creation]
+== CVE creation process
+
+Found security vulnerabilities are subject to voting (by means of https://logging.apache.org/guidelines.html[_lazy approval_], preferably) before creating a CVE and populating its associated content.
+This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.
[logging-log4j2] 01/03: LOG4J2-3356 Fix maven-bundle-plugin configuration of JSON Template Layout.
Posted by vy...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 80a619b8a7965c477bea6c9ca279a26df154c002
Author: Volkan Yazici <vo...@yazi.ci>
AuthorDate: Fri Jan 21 17:01:52 2022 +0100
LOG4J2-3356 Fix maven-bundle-plugin configuration of JSON Template Layout.
---
log4j-layout-template-json/pom.xml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/log4j-layout-template-json/pom.xml b/log4j-layout-template-json/pom.xml
index 7f082e0..8992b8f 100644
--- a/log4j-layout-template-json/pom.xml
+++ b/log4j-layout-template-json/pom.xml
@@ -213,8 +213,9 @@
<artifactId>maven-bundle-plugin</artifactId>
<configuration>
<instructions>
- <Fragment-Host>org.apache.logging.log4j.layout.template.json</Fragment-Host>
- <Export-Package>*</Export-Package>
+ <Fragment-Host>org.apache.logging.log4j.core</Fragment-Host>
+ <Bundle-SymbolicName>org.apache.logging.log4j.layout.template.json</Bundle-SymbolicName>
+ <Export-Package>org.apache.logging.log4j.layout.template.json</Export-Package>
</instructions>
</configuration>
</plugin>