Version in base suite: 2.13.3-1 Version in overlay suite: 2.15.0-1~deb11u1 Base version: apache-log4j2_2.15.0-1~deb11u1 Target version: apache-log4j2_2.16.0-1~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/apache-log4j2/apache-log4j2_2.15.0-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/a/apache-log4j2/apache-log4j2_2.16.0-1~deb11u1.dsc RELEASE-NOTES.md | 232 ---------- debian/changelog | 25 - log4j-1.2-api/pom.xml | 2 log4j-api-java9/pom.xml | 4 log4j-api/pom.xml | 2 log4j-appserver/pom.xml | 2 log4j-bom/pom.xml | 4 log4j-cassandra/pom.xml | 2 log4j-cassandra/src/test/java/org/apache/logging/log4j/cassandra/CassandraAppenderIT.java | 2 log4j-core-its/pom.xml | 2 log4j-core-its/src/test/java/org/apache/logging/log4j/core/SimplePerfTest.java | 2 log4j-core-java9/pom.xml | 4 log4j-core/pom.xml | 2 log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsManager.java | 13 log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java | 19 log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java | 54 +- log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/MessagePatternConverter.java | 46 - log4j-core/src/main/java/org/apache/logging/log4j/core/selector/JndiContextSelector.java | 6 log4j-core/src/main/java/org/apache/logging/log4j/core/util/JndiCloser.java | 3 log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java | 6 log4j-core/src/test/java/org/apache/logging/log4j/core/appender/routing/RoutingAppenderWithJndiTest.java | 10 log4j-core/src/test/java/org/apache/logging/log4j/core/layout/PatternLayoutLookupDateTest.java | 4 log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/InterpolatorTest.java | 3 log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiDisabledLookupTest.java | 64 ++ log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLookupTest.java | 6 log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java | 27 + log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/MessagePatternConverterTest.java | 2 log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/RegexReplacementTest.java | 2 log4j-couchdb/pom.xml | 2 log4j-distribution/pom.xml | 2 log4j-docker/pom.xml | 4 log4j-flume-ng/pom.xml | 2 log4j-iostreams/pom.xml | 2 log4j-jakarta-web/pom.xml | 2 log4j-jcl/pom.xml | 2 log4j-jdbc-dbcp2/pom.xml | 2 log4j-jmx-gui/pom.xml | 2 log4j-jpa/pom.xml | 2 log4j-jpl/pom.xml | 4 log4j-jul/pom.xml | 2 log4j-kubernetes/pom.xml | 4 log4j-layout-template-json/pom.xml | 2 log4j-liquibase/pom.xml | 2 log4j-mongodb3/pom.xml | 2 log4j-mongodb4/pom.xml | 2 log4j-osgi/pom.xml | 2 log4j-perf/pom.xml | 4 log4j-samples/log4j-samples-configuration/pom.xml | 2 log4j-samples/log4j-samples-flume-common/pom.xml | 2 log4j-samples/log4j-samples-flume-embedded/pom.xml | 2 log4j-samples/log4j-samples-flume-remote/pom.xml | 2 log4j-samples/log4j-samples-loggerProperties/pom.xml | 2 log4j-samples/pom.xml | 2 log4j-slf4j-impl/pom.xml | 2 log4j-slf4j18-impl/pom.xml | 2 log4j-spring-boot/pom.xml | 4 log4j-spring-cloud-config/log4j-spring-cloud-config-client/pom.xml | 4 log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-application/pom.xml | 6 log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-server/pom.xml | 4 log4j-spring-cloud-config/log4j-spring-cloud-config-samples/pom.xml | 2 log4j-spring-cloud-config/pom.xml | 2 log4j-taglib/pom.xml | 2 log4j-to-slf4j/pom.xml | 2 log4j-web/pom.xml | 2 pom.xml | 16 src/changes/announcement.vm | 28 - src/changes/changes.xml | 8 67 files changed, 320 insertions(+), 372 deletions(-) diff -Nru apache-log4j2-2.15.0/RELEASE-NOTES.md apache-log4j2-2.16.0/RELEASE-NOTES.md --- apache-log4j2-2.15.0/RELEASE-NOTES.md 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/RELEASE-NOTES.md 2021-12-13 05:40:13.000000000 +0000 @@ -14,9 +14,9 @@ See the License for the specific language governing permissions and limitations under the License. --> -# Apache Log4j 2.15.0 Release Notes +# Apache Log4j 2.16.0 Release Notes -The Apache Log4j 2 team is pleased to announce the Log4j 2.15.0 release! +The Apache Log4j 2 team is pleased to announce the Log4j 2.16.0 release! Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides @@ -27,234 +27,44 @@ The artifacts may be downloaded from https://logging.apache.org/log4j/2.x/download.html. -This release contains a number of bug fixes and minor enhancements which are listed below. +This release contains one change which is noted below. Due to a break in compatibility in the SLF4J binding, Log4j now ships with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl should be used with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases are not fully supported. See https://issues.apache.org/jira/browse/LOG4J2-2975 and https://jira.qos.ch/browse/SLF4J-511. -Some of the new features in Log4j 2.15.0 include: +Some of the changes in Log4j 2.16.0 include: -* Support for Arbiters, which are conditionals that can enable sections of the logging configuration -for inclusion or exclusion. In particular, SpringProfile, SystemProperty, Script, and Class Arbiters have been -provided that use the Spring profile, System property, the result of a script, or the presence of a class respectively -to determine whether a section of configuration should be included. -* Support for Jakarta EE 9. This is functionally equivalent to Log4j's log4j-web module but uses the Jakarta project. -* Various performance improvements. - -Key changes to note: - -* Prior to this release Log4j would automatically resolve Lookups contained in the message or its parameters in the -Pattern Layout. Thisbehavior is no longer the default and must be enabled by specifying %msg{lookup}. -* The JNDI Lookup has been restricted to only support the java, ldap, and ldaps protocols by default. LDAP also no -longer supports classes that implement the Referenceable interface and restricts the Serializable classes to the -Java primative classes by default and requires an allow list to be specified to access remote LDAP servers. +* Remove Message Lookups. +* While release 2.15.0 removed the ability to resolve Lookups and log messages and addressed issues with how JNDI +is accessed, the Log4j team feels that having JNDI enabled by default introduces an undue risk for our users. +Starting in version 2.16.0, JNDI functionality is disabled by default and can be re-enabled via the +`log4j2.enableJndi` system property. Use of JNDI in an unprotected context is a large security risk and +should be treated as such in both this library and all other Java libraries using JNDI. +* Prior to version 2.15.0, Log4j would automatically resolve Lookups contained in the message or its parameters in the +Pattern Layout. This behavior is no longer the default and must be enabled by specifying %msg{lookup}. -The Log4j 2.15.0 API, as well as many core components, maintains binary compatibility with previous releases. +The Log4j 2.16.0 API, as well as many core components, maintains binary compatibility with previous releases. -## GA Release 2.15.0 +## GA Release 2.16.0 Changes in this version include: -### New Features -* [LOG4J2-3198](https://issues.apache.org/jira/browse/LOG4J2-3198): -Pattern layout no longer enables lookups within message text by default for cleaner API boundaries and reduced - formatting overhead. The old 'log4j2.formatMsgNoLookups' which enabled this behavior has been removed as well - as the 'nolookups' message pattern converter option. The old behavior can be enabled on a per-pattern basis - using '%m{lookups}'. -* [LOG4J2-3194](https://issues.apache.org/jira/browse/LOG4J2-3194): -Allow fractional attributes for size attribute of SizeBsaedTriggeringPolicy. Thanks to markuss. -* [LOG4J2-2978](https://issues.apache.org/jira/browse/LOG4J2-2978): -Add support for Jakarta EE 9 (Tomcat 10 / Jetty 11) Thanks to Michael Seele. -* [LOG4J2-3189](https://issues.apache.org/jira/browse/LOG4J2-3189): -Improve NameAbbreviator worst-case performance. -* [LOG4J2-3170](https://issues.apache.org/jira/browse/LOG4J2-3170): -Make CRLF/HTML encoding run in O(n) worst-case time, rather than O(n^2). Thanks to Gareth Smith. -* [LOG4J2-3133](https://issues.apache.org/jira/browse/LOG4J2-3133): -Add missing slf4j-api singleton accessors to log4j-slf4j-impl (1.7) StaticMarkerBinder and StaticMDCBinder. - This doesn't impact behavior or correctness, but avoids throwing and catching NoSuchMethodErrors when slf4j - is initialized and avoids linkage linting warnings. -* [LOG4J2-2885](https://issues.apache.org/jira/browse/LOG4J2-2885): -Add support for US-style date patterns and micro/nano seconds to FixedDateTime. Thanks to Markus Spann. -* [LOG4J2-3116](https://issues.apache.org/jira/browse/LOG4J2-3116): -Add JsonTemplateLayout for Google Cloud Platform structured logging layout. -* [LOG4J2-3067](https://issues.apache.org/jira/browse/LOG4J2-3067): -Add CounterResolver to JsonTemplateLayout. -* [LOG4J2-3074](https://issues.apache.org/jira/browse/LOG4J2-3074): -Add replacement parameter to ReadOnlyStringMapResolver. -* [LOG4J2-3051](https://issues.apache.org/jira/browse/LOG4J2-3051): -Add CaseConverterResolver to JsonTemplateLayout. -* [LOG4J2-3064](https://issues.apache.org/jira/browse/LOG4J2-3064): -Add Arbiters and SpringProfile plugin. -* [LOG4J2-3056](https://issues.apache.org/jira/browse/LOG4J2-3056): -Refactor MD5 usage for sharing sensitive information. Thanks to Marcono1234. -* [LOG4J2-3004](https://issues.apache.org/jira/browse/LOG4J2-3004): -Add plugin support to JsonTemplateLayout. -* [LOG4J2-3050](https://issues.apache.org/jira/browse/LOG4J2-3050): -Allow AdditionalFields to be ignored if their value is null or a zero-length String. -* [LOG4J2-3049](https://issues.apache.org/jira/browse/LOG4J2-3049): -Allow MapMessage and ThreadContext attributes to be prefixed. -* [LOG4J2=3048](https://issues.apache.org/jira/browse/LOG4J2=3048): -Add improved MapMessge support to GelfLayout. -* [LOG4J2-3044](https://issues.apache.org/jira/browse/LOG4J2-3044): -Add RepeatPatternConverter. -* [LOG4J2-2940](https://issues.apache.org/jira/browse/LOG4J2-2940): -Context selectors are aware of their dependence upon the callers ClassLoader, allowing - basic context selectors to avoid the unnecessary overhead of walking the stack to - determine the caller's ClassLoader. -* [LOG4J2-2940](https://issues.apache.org/jira/browse/LOG4J2-2940): -Add BasicAsyncLoggerContextSelector equivalent to AsyncLoggerContextSelector for - applications with a single LoggerContext. This selector avoids classloader lookup - overhead incurred by the existing AsyncLoggerContextSelector. -* [LOG4J2-3041](https://issues.apache.org/jira/browse/LOG4J2-3041): -Allow a PatternSelector to be specified on GelfLayout. -* [LOG4J2-3141](https://issues.apache.org/jira/browse/LOG4J2-3141): -Avoid ThreadLocal overhead in RandomAccessFileAppender, RollingRandomAccessFileManager, - and MemoryMappedFileManager due to the unused setEndOfBatch and isEndOfBatch methods. - The methods on LogEvent are preferred. -* [LOG4J2-3144](https://issues.apache.org/jira/browse/LOG4J2-3144): -Prefer string.getBytes(Charset) over string.getBytes(String) - based on performance improvements in modern Java releases. -* [LOG4J2-3171](https://issues.apache.org/jira/browse/LOG4J2-3171): -Improve PatternLayout performance by reducing unnecessary indirection and branching. ### Fixed Bugs -* [LOG4J2-3201](https://issues.apache.org/jira/browse/LOG4J2-3201): -Limit the protocols JNDI can use by default. Limit the servers and classes that can be accessed via LDAP. -* [LOG4J2-3114](https://issues.apache.org/jira/browse/LOG4J2-3114): -Enable immediate flush on RollingFileAppender when buffered i/o is not enabled. Thanks to Barnabas Bodnar. -* [LOG4J2-3168](https://issues.apache.org/jira/browse/LOG4J2-3168): -Fix bug when file names contain regex characters. Thanks to Benjamin Wöster. -* [LOG4J2-3110](https://issues.apache.org/jira/browse/LOG4J2-3110): -Fix the number of {}-placeholders in the string literal argument does not match the number of other arguments - to the logging call. Thanks to Arturo Bernal. -* [LOG4J2-3060](https://issues.apache.org/jira/browse/LOG4J2-3060): -Fix thread-safety issues in DefaultErrorHandler. Thanks to Nikita Mikhailov. -* [LOG4J2-3185](https://issues.apache.org/jira/browse/LOG4J2-3185): -Fix thread-safety issues in DefaultErrorHandler. Thanks to mzbonnt. -* [LOG4J2-3183](https://issues.apache.org/jira/browse/LOG4J2-3183): -Avoid using MutableInstant of the event as a cache key in JsonTemplateLayout. -* [LOG4J2-2829](https://issues.apache.org/jira/browse/LOG4J2-2829): -SocketAppender should propagate failures when reconnection fails. -* [LOG4J2-3172](https://issues.apache.org/jira/browse/LOG4J2-3172): -Buffer immutable log events in the SmtpManager. Thanks to Barry Fleming. -* [LOG4J2-3175](https://issues.apache.org/jira/browse/LOG4J2-3175): -Avoid KafkaManager override when topics differ. Thanks to wuqian0808. -* [LOG4J2-3160](https://issues.apache.org/jira/browse/LOG4J2-3160): -Fix documentation on how to toggle log4j2.debug system property. Thanks to Lars Bohl. -* [LOG4J2-3159](https://issues.apache.org/jira/browse/LOG4J2-3159): -Fixed an unlikely race condition in Log4jMarker.getParents() volatile access. -* [LOG4J2-3153](https://issues.apache.org/jira/browse/LOG4J2-3153): -DatePatternConverter performance is not impacted by microsecond-precision clocks when such precision isn't - required. -* [LOG4J2-2808](https://issues.apache.org/jira/browse/LOG4J2-2808): -LoggerContext skips resolving localhost when hostName is configured. Thanks to Asapha Halifa. -* [LOG4J2-3150](https://issues.apache.org/jira/browse/LOG4J2-3150): -RandomAccessFile appender uses the correct default buffer size of 256 kB - rather than the default appender buffer size of 8 kB. -* [LOG4J2-3142](https://issues.apache.org/jira/browse/LOG4J2-3142): -log4j-1.2-api implements LogEventAdapter.getTimestamp() based on the original event timestamp - instead of returning zero. Thanks to John Meikle. -* [LOG4J2-3083](https://issues.apache.org/jira/browse/LOG4J2-3083): -log4j-slf4j-impl and log4j-slf4j18-impl correctly detect the calling class using both LoggerFactory.getLogger - methods as well as LoggerFactory.getILoggerFactory().getLogger. -* [LOG4J2-2816](https://issues.apache.org/jira/browse/LOG4J2-2816): -Handle Disruptor event translation exceptions. Thanks to Jacob Shields. -* [LOG4J2-3121](https://issues.apache.org/jira/browse/LOG4J2-3121): -log4j2 config modified at run-time may trigger incomplete MBean re-initialization due to InstanceAlreadyExistsException. Thanks to Markus Spann. -* [LOG4J2-3107](https://issues.apache.org/jira/browse/LOG4J2-3107): -SmtpManager.createManagerName ignores port. Thanks to Markus Spann. -* [LOG4J2-3080](https://issues.apache.org/jira/browse/LOG4J2-3080): -Use SimpleMessage in Log4j 1 Category whenever possible. -* [LOG4J2-3102](https://issues.apache.org/jira/browse/LOG4J2-3102): -Fix a regression in 2.14.1 which allowed the AsyncAppender background thread to keep the JVM alive because - the daemon flag was not set. -* [LOG4J2-3103](https://issues.apache.org/jira/browse/LOG4J2-3103): -Fix race condition which can result in ConcurrentModificationException on context.stop. Thanks to Mike Glazer. -* [LOG4J2-3092](https://issues.apache.org/jira/browse/LOG4J2-3092): -Fix JsonWriter memory leaks due to retained excessive buffer growth. Thanks to xmh51. -* [LOG4J2-3089](https://issues.apache.org/jira/browse/LOG4J2-3089): -Fix sporadic JsonTemplateLayoutNullEventDelimiterTest failures on Windows. Thanks to Tim Perry. -* [LOG4J2-3075](https://issues.apache.org/jira/browse/LOG4J2-3075): -Fix formatting of nanoseconds in JsonTemplateLayout. -* [LOG4J2-3087](https://issues.apache.org/jira/browse/LOG4J2-3087): -Fix race in JsonTemplateLayout where a timestamp could end up unquoted. Thanks to Anton Klarén. -* [LOG4J2-3070](https://issues.apache.org/jira/browse/LOG4J2-3070): -Ensure EncodingPatternConverter#handlesThrowable is implemented. Thanks to Romain Manni-Bucau. -* [LOG4J2-3054](https://issues.apache.org/jira/browse/LOG4J2-3054): -BasicContextSelector hasContext and shutdown take the default context into account -* [LOG4J2-2940](https://issues.apache.org/jira/browse/LOG4J2-2940): -Slf4j implementations walk the stack at most once rather than twice to determine the caller's class loader. -* [LOG4J2-2965](https://issues.apache.org/jira/browse/LOG4J2-2965): -Fixed a deadlock between the AsyncLoggerContextSelector and java.util.logging.LogManager by updating Disruptor to 3.4.4. -* [LOG4J2-3095](https://issues.apache.org/jira/browse/LOG4J2-3095): -Category.setLevel should accept null value. Thanks to Kenny MacLeod, Gary Gregory. -* [LOG4J2-3174](https://issues.apache.org/jira/browse/LOG4J2-3174): -Wrong subject on mail when it depends on the LogEvent Thanks to romainmoreau. - -### Changes -* [](https://issues.apache.org/jira/browse/): -Update Spring framework to 5.3.13, Spring Boot to 2.5.7, and Spring Cloud to 2020.0.4. -* [LOG4J2-2025](https://issues.apache.org/jira/browse/LOG4J2-2025): -Provide support for overriding the Tomcat Log class in Tomcat 8.5+. -* [](https://issues.apache.org/jira/browse/): -Updated dependencies. - - - com.fasterxml.jackson.core:jackson-annotations ................. 2.12.2 -> 2.12.4 - - com.fasterxml.jackson.core:jackson-core ........................ 2.12.2 -> 2.12.4 - - com.fasterxml.jackson.core:jackson-databind .................... 2.12.2 -> 2.12.4 - - com.fasterxml.jackson.dataformat:jackson-dataformat-xml ........ 2.12.2 -> 2.12.4 - - com.fasterxml.jackson.dataformat:jackson-dataformat-yaml ....... 2.12.2 -> 2.12.4 - - com.fasterxml.jackson.module:jackson-module-jaxb-annotations ... 2.12.2 -> 2.12.4 - - com.fasterxml.woodstox:woodstox-core ........................... 6.2.4 -> 6.2.6 - - commons-io:commons-io .......................................... 2.8.0 -> 2.11.0 - - net.javacrumbs.json-unit:json-unit ............................. 2.24.0 -> 2.25.0 - - net.javacrumbs.json-unit:json-unit ............................. 2.25.0 -> 2.27.0 - - org.apache.activemq:activemq-broker ............................ 5.16.1 -> 5.16.2 - - org.apache.activemq:activemq-broker ............................ 5.16.2 -> 5.16.3 - - org.apache.commons:commons-compress ............................ 1.20 -> 1.21 - - org.apache.commons:commons-csv ................................. 1.8 -> 1.9.0 - - org.apache.commons:commons-dbcp2 ............................... 2.8.0 -> 2.9.0 - - org.apache.commons:commons-pool2 ............................... 2.9.0 -> 2.11.1 - - org.apache.maven.plugins:maven-failsafe-plugin ................. 2.22.2 -> 3.0.0-M5 - - org.apache.maven.plugins:maven-surefire-plugin ................. 2.22.2 -> 3.0.0-M5 - - org.apache.rat:apache-rat-plugin ............................... 0.12 -> 0.13 - - org.assertj:assertj-core ....................................... 3.19.0 -> 3.20.2 - - org.codehaus.groovy:groovy-dateutil ............................ 3.0.7 -> 3.0.8 - - org.codehaus.groovy:groovy-jsr223 .............................. 3.0.7 -> 3.0.8 - - org.codehaus.plexus:plexus-utils ............................... 3.3.0 -> 3.4.0 - - org.eclipse.persistence:javax.persistence ...................... 2.1.1 -> 2.2.1 - - org.eclipse.persistence:org.eclipse.persistence.jpa ............ 2.6.5 -> 2.6.9 - - org.eclipse.persistence:org.eclipse.persistence.jpa ............ 2.7.8 -> 2.7.9 - - org.fusesource.jansi ........................................... 2.3.2 -> 2.3.4 - - org.fusesource.jansi:jansi ..................................... 2.3.1 -> 2.3.2 - - org.hsqldb:hsqldb .............................................. 2.5.1 -> 2.5.2 - - org.junit.jupiter:junit-jupiter-engine ......................... 5.7.1 -> 5.7.2 - - org.junit.jupiter:junit-jupiter-migrationsupport ............... 5.7.1 -> 5.7.2 - - org.junit.jupiter:junit-jupiter-params ......................... 5.7.1 -> 5.7.2 - - org.junit.vintage:junit-vintage-engine ......................... 5.7.1 -> 5.7.2 - - org.liquibase:liquibase-core ................................... 3.5.3 -> 3.5.5 - - org.mockito:mockito-core ....................................... 3.8.0 -> 3.11.2 - - org.mockito:mockito-junit-jupiter .............................. 3.8.0 -> 3.11.2 - - org.springframework:spring-aop ................................. 5.3.3 -> 5.3.9 - - org.springframework:spring-beans ............................... 5.3.3 -> 5.3.9 - - org.springframework:spring-context ............................. 5.3.3 -> 5.3.9 - - org.springframework:spring-context-support ..................... 5.3.3 -> 5.3.9 - - org.springframework:spring-core ................................ 5.3.3 -> 5.3.9 - - org.springframework:spring-expression .......................... 5.3.3 -> 5.3.9 - - org.springframework:spring-oxm ................................. 5.3.3 -> 5.3.9 - - org.springframework:spring-test ................................ 5.3.3 -> 5.3.9 - - org.springframework:spring-web ................................. 5.3.3 -> 5.3.9 - - org.springframework:spring-webmvc .............................. 5.3.3 -> 5.3.9 - - org.tukaani:xz ................................................. 1.8 -> 1.9 +* [LOG4J2-3208](https://issues.apache.org/jira/browse/LOG4J2-3208): +Disable JNDI by default. Require log4j2.enableJndi to be set to true to allow JNDI. +* [LOG4J2-3211](https://issues.apache.org/jira/browse/LOG4J2-3211): +Completely remove support for Message Lookups. + --- -Apache Log4j 2.15.0 requires a minimum of Java 8 to build and run. Log4j 2.12.1 is the last release to support +Apache Log4j 2.16.0 requires a minimum of Java 8 to build and run. Log4j 2.12.1 is the last release to support Java 7. Java 7 is not longer supported by the Log4j team. For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Log4j 2 website: -https://logging.apache.org/log4j/2.x/ \ No newline at end of file +https://logging.apache.org/log4j/2.x/ diff -Nru apache-log4j2-2.15.0/debian/changelog apache-log4j2-2.16.0/debian/changelog --- apache-log4j2-2.15.0/debian/changelog 2021-12-11 16:15:53.000000000 +0000 +++ apache-log4j2-2.16.0/debian/changelog 2021-12-15 23:48:17.000000000 +0000 @@ -1,10 +1,27 @@ -apache-log4j2 (2.15.0-1~deb11u1) bullseye-security; urgency=high +apache-log4j2 (2.16.0-1~deb11u1) bullseye-security; urgency=high * Team upload. - * Backport version 2.15.0 to Bullseye and fix CVE-2021-44228. - (Closes: #1001478) + * Backport version 2.16.0 to Bullseye and fix CVE-2021-45046. + (Closes: #1001729) - -- Markus Koschany Sat, 11 Dec 2021 17:15:53 +0100 + -- Markus Koschany Thu, 16 Dec 2021 00:48:17 +0100 + +apache-log4j2 (2.16.0-1) unstable; urgency=high + + * Team upload. + * New upstream version 2.16.0. + - Fix CVE-2021-45046: + It was found that the fix to address CVE-2021-44228 in Apache Log4j + 2.15.0 was incomplete in certain non-default configurations. This could + allow attackers with control over Thread Context Map (MDC) input data + when the logging configuration uses a non-default Pattern Layout with + either a Context Lookup (for example, $${ctx:loginId}) or a Thread + Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data + using a JNDI Lookup pattern resulting in a denial of service (DOS) + attack. + Thanks to Salvatore Bonaccorso for the report. (Closes: #1001729) + + -- Markus Koschany Wed, 15 Dec 2021 02:38:06 +0100 apache-log4j2 (2.15.0-1) unstable; urgency=high diff -Nru apache-log4j2-2.15.0/log4j-1.2-api/pom.xml apache-log4j2-2.16.0/log4j-1.2-api/pom.xml --- apache-log4j2-2.15.0/log4j-1.2-api/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-1.2-api/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-1.2-api diff -Nru apache-log4j2-2.15.0/log4j-api/pom.xml apache-log4j2-2.16.0/log4j-api/pom.xml --- apache-log4j2-2.15.0/log4j-api/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-api/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-api diff -Nru apache-log4j2-2.15.0/log4j-api-java9/pom.xml apache-log4j2-2.16.0/log4j-api-java9/pom.xml --- apache-log4j2-2.15.0/log4j-api-java9/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-api-java9/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-api-java9 @@ -48,7 +48,7 @@ org.apache.maven.plugins maven-toolchains-plugin - 1.1 + 3.0.0 diff -Nru apache-log4j2-2.15.0/log4j-appserver/pom.xml apache-log4j2-2.16.0/log4j-appserver/pom.xml --- apache-log4j2-2.15.0/log4j-appserver/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-appserver/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j org.apache.logging.log4j - 2.15.0 + 2.16.0 4.0.0 diff -Nru apache-log4j2-2.15.0/log4j-bom/pom.xml apache-log4j2-2.16.0/log4j-bom/pom.xml --- apache-log4j2-2.15.0/log4j-bom/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-bom/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -26,7 +26,7 @@ Apache Log4j Bill of Materials org.apache.logging.log4j log4j-bom - 2.15.0 + 2.16.0 pom @@ -217,6 +217,6 @@ - log4j-2.15.0-rc2 + log4j-2.16.0-rc1 diff -Nru apache-log4j2-2.15.0/log4j-cassandra/pom.xml apache-log4j2-2.16.0/log4j-cassandra/pom.xml --- apache-log4j2-2.15.0/log4j-cassandra/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-cassandra/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 4.0.0 diff -Nru apache-log4j2-2.15.0/log4j-cassandra/src/test/java/org/apache/logging/log4j/cassandra/CassandraAppenderIT.java apache-log4j2-2.16.0/log4j-cassandra/src/test/java/org/apache/logging/log4j/cassandra/CassandraAppenderIT.java --- apache-log4j2-2.15.0/log4j-cassandra/src/test/java/org/apache/logging/log4j/cassandra/CassandraAppenderIT.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-cassandra/src/test/java/org/apache/logging/log4j/cassandra/CassandraAppenderIT.java 2021-12-13 05:40:13.000000000 +0000 @@ -30,6 +30,7 @@ import org.apache.logging.log4j.categories.Appenders; import org.apache.logging.log4j.junit.LoggerContextRule; import org.junit.ClassRule; +import org.junit.Ignore; import org.junit.Test; import org.junit.experimental.categories.Category; import org.junit.rules.RuleChain; @@ -40,6 +41,7 @@ * Integration test for CassandraAppender. */ @Category(Appenders.Cassandra.class) +@Ignore("Does not work on aarch64") public class CassandraAppenderIT { private static final String DDL = "CREATE TABLE logs (" + diff -Nru apache-log4j2-2.15.0/log4j-core/pom.xml apache-log4j2-2.16.0/log4j-core/pom.xml --- apache-log4j2-2.15.0/log4j-core/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-core diff -Nru apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsManager.java apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsManager.java --- apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsManager.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsManager.java 2021-12-13 05:40:13.000000000 +0000 @@ -124,10 +124,15 @@ @Override public JmsManager createManager(final String name, final JmsManagerConfiguration data) { - try { - return new JmsManager(name, data); - } catch (final Exception e) { - logger().error("Error creating JmsManager using JmsManagerConfiguration [{}]", data, e); + if (JndiManager.isJndiEnabled()) { + try { + return new JmsManager(name, data); + } catch (final Exception e) { + logger().error("Error creating JmsManager using JmsManagerConfiguration [{}]", data, e); + return null; + } + } else { + logger().error("JNDI has not been enabled. The log4j2.enableJndi property must be set to true"); return null; } } diff -Nru apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java --- apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java 2021-12-13 05:40:13.000000000 +0000 @@ -26,6 +26,7 @@ import org.apache.logging.log4j.core.config.ConfigurationAware; import org.apache.logging.log4j.core.config.plugins.util.PluginManager; import org.apache.logging.log4j.core.config.plugins.util.PluginType; +import org.apache.logging.log4j.core.net.JndiManager; import org.apache.logging.log4j.core.util.Loader; import org.apache.logging.log4j.core.util.ReflectionUtil; import org.apache.logging.log4j.status.StatusLogger; @@ -77,7 +78,9 @@ for (final Map.Entry> entry : plugins.entrySet()) { try { final Class clazz = entry.getValue().getPluginClass().asSubclass(StrLookup.class); - strLookupMap.put(entry.getKey().toLowerCase(), ReflectionUtil.instantiate(clazz)); + if (!clazz.getName().equals(JndiLookup.class.getName()) || JndiManager.isJndiEnabled()) { + strLookupMap.put(entry.getKey().toLowerCase(), ReflectionUtil.instantiate(clazz)); + } } catch (final Throwable t) { handleError(entry.getKey(), t); } @@ -106,12 +109,14 @@ strLookupMap.put("lower", new LowerLookup()); strLookupMap.put("upper", new UpperLookup()); // JNDI - try { - // [LOG4J2-703] We might be on Android - strLookupMap.put(LOOKUP_KEY_JNDI, - Loader.newCheckedInstanceOf("org.apache.logging.log4j.core.lookup.JndiLookup", StrLookup.class)); - } catch (final LinkageError | Exception e) { - handleError(LOOKUP_KEY_JNDI, e); + if (JndiManager.isJndiEnabled()) { + try { + // [LOG4J2-703] We might be on Android + strLookupMap.put(LOOKUP_KEY_JNDI, + Loader.newCheckedInstanceOf("org.apache.logging.log4j.core.lookup.JndiLookup", StrLookup.class)); + } catch (final LinkageError | Exception e) { + handleError(LOOKUP_KEY_JNDI, e); + } } // JMX input args try { diff -Nru apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java --- apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java 2021-12-13 05:40:13.000000000 +0000 @@ -73,6 +73,10 @@ private final DirContext context; + public static boolean isJndiEnabled() { + return PropertiesUtil.getProperties().getBooleanProperty("log4j2.enableJndi", false); + } + private JndiManager(final String name, final DirContext context, final List allowedHosts, final List allowedClasses, final List allowedProtocols) { super(null, name); @@ -82,6 +86,14 @@ this.allowedProtocols = allowedProtocols; } + private JndiManager(final String name) { + super(null, name); + this.context = null; + this.allowedProtocols = null; + this.allowedClasses = null; + this.allowedHosts = null; + } + /** * Gets the default JndiManager using the default {@link javax.naming.InitialContext}. * @@ -194,7 +206,10 @@ @Override protected boolean releaseSub(final long timeout, final TimeUnit timeUnit) { - return JndiCloser.closeSilently(this.context); + if (context != null) { + return JndiCloser.closeSilently(this.context); + } + return true; } /** @@ -207,6 +222,9 @@ */ @SuppressWarnings("unchecked") public synchronized T lookup(final String name) throws NamingException { + if (context == null) { + return null; + } try { URI uri = new URI(name); if (uri.getScheme() != null) { @@ -262,21 +280,25 @@ @Override public JndiManager createManager(final String name, final Properties data) { - String hosts = data != null ? data.getProperty(ALLOWED_HOSTS) : null; - String classes = data != null ? data.getProperty(ALLOWED_CLASSES) : null; - String protocols = data != null ? data.getProperty(ALLOWED_PROTOCOLS) : null; - List allowedHosts = new ArrayList<>(); - List allowedClasses = new ArrayList<>(); - List allowedProtocols = new ArrayList<>(); - addAll(hosts, allowedHosts, permanentAllowedHosts, ALLOWED_HOSTS, data); - addAll(classes, allowedClasses, permanentAllowedClasses, ALLOWED_CLASSES, data); - addAll(protocols, allowedProtocols, permanentAllowedProtocols, ALLOWED_PROTOCOLS, data); - try { - return new JndiManager(name, new InitialDirContext(data), allowedHosts, allowedClasses, - allowedProtocols); - } catch (final NamingException e) { - LOGGER.error("Error creating JNDI InitialContext.", e); - return null; + if (isJndiEnabled()) { + String hosts = data != null ? data.getProperty(ALLOWED_HOSTS) : null; + String classes = data != null ? data.getProperty(ALLOWED_CLASSES) : null; + String protocols = data != null ? data.getProperty(ALLOWED_PROTOCOLS) : null; + List allowedHosts = new ArrayList<>(); + List allowedClasses = new ArrayList<>(); + List allowedProtocols = new ArrayList<>(); + addAll(hosts, allowedHosts, permanentAllowedHosts, ALLOWED_HOSTS, data); + addAll(classes, allowedClasses, permanentAllowedClasses, ALLOWED_CLASSES, data); + addAll(protocols, allowedProtocols, permanentAllowedProtocols, ALLOWED_PROTOCOLS, data); + try { + return new JndiManager(name, new InitialDirContext(data), allowedHosts, allowedClasses, + allowedProtocols); + } catch (final NamingException e) { + LOGGER.error("Error creating JNDI InitialContext.", e); + return null; + } + } else { + return new JndiManager(name); } } diff -Nru apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/MessagePatternConverter.java apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/MessagePatternConverter.java --- apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/MessagePatternConverter.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/MessagePatternConverter.java 2021-12-13 05:40:13.000000000 +0000 @@ -20,6 +20,7 @@ import java.util.List; import java.util.Locale; +import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.config.Configuration; import org.apache.logging.log4j.core.config.plugins.Plugin; @@ -38,7 +39,7 @@ @ConverterKeys({ "m", "msg", "message" }) @PerformanceSensitive("allocation") public class MessagePatternConverter extends LogEventPatternConverter { - + private static final String LOOKUPS = "lookups"; private static final String NOLOOKUPS = "nolookups"; @@ -46,17 +47,6 @@ super("Message", "message"); } - private static boolean loadLookups(final String[] options) { - if (options != null) { - for (final String option : options) { - if (LOOKUPS.equalsIgnoreCase(option)) { - return true; - } - } - } - return false; - } - private static TextRenderer loadMessageRenderer(final String[] options) { if (options != null) { for (final String option : options) { @@ -86,15 +76,11 @@ * @return instance of pattern converter. */ public static MessagePatternConverter newInstance(final Configuration config, final String[] options) { - boolean lookups = loadLookups(options); String[] formats = withoutLookupOptions(options); TextRenderer textRenderer = loadMessageRenderer(formats); MessagePatternConverter result = formats == null || formats.length == 0 ? SimpleMessagePatternConverter.INSTANCE : new FormattedMessagePatternConverter(formats); - if (lookups && config != null) { - result = new LookupMessagePatternConverter(result, config); - } if (textRenderer != null) { result = new RenderingPatternConverter(result, textRenderer); } @@ -107,7 +93,9 @@ } List results = new ArrayList<>(options.length); for (String option : options) { - if (!LOOKUPS.equalsIgnoreCase(option) && !NOLOOKUPS.equalsIgnoreCase(option)) { + if (LOOKUPS.equalsIgnoreCase(option) || NOLOOKUPS.equalsIgnoreCase(option)) { + LOGGER.info("The {} option will be ignored. Message Lookups are no longer supported.", option); + } else { results.add(option); } } @@ -163,30 +151,6 @@ } } } - - private static final class LookupMessagePatternConverter extends MessagePatternConverter { - private final MessagePatternConverter delegate; - private final Configuration config; - - LookupMessagePatternConverter(final MessagePatternConverter delegate, final Configuration config) { - this.delegate = delegate; - this.config = config; - } - - /** - * {@inheritDoc} - */ - @Override - public void format(final LogEvent event, final StringBuilder toAppendTo) { - int start = toAppendTo.length(); - delegate.format(event, toAppendTo); - int indexOfSubstitution = toAppendTo.indexOf("${", start); - if (indexOfSubstitution >= 0) { - config.getStrSubstitutor() - .replaceIn(event, toAppendTo, indexOfSubstitution, toAppendTo.length() - indexOfSubstitution); - } - } - } private static final class RenderingPatternConverter extends MessagePatternConverter { diff -Nru apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/selector/JndiContextSelector.java apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/selector/JndiContextSelector.java --- apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/selector/JndiContextSelector.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/selector/JndiContextSelector.java 2021-12-13 05:40:13.000000000 +0000 @@ -93,6 +93,12 @@ private static final StatusLogger LOGGER = StatusLogger.getLogger(); + public JndiContextSelector() { + if (!JndiManager.isJndiEnabled()) { + throw new IllegalStateException("JNDI must be enabled by setting log4j2.enableJndi=true"); + } + } + @Override public void shutdown(String fqcn, ClassLoader loader, boolean currentContext, boolean allContexts) { LoggerContext ctx = ContextAnchor.THREAD_CONTEXT.get(); diff -Nru apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/util/JndiCloser.java apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/util/JndiCloser.java --- apache-log4j2-2.15.0/log4j-core/src/main/java/org/apache/logging/log4j/core/util/JndiCloser.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/main/java/org/apache/logging/log4j/core/util/JndiCloser.java 2021-12-13 05:40:13.000000000 +0000 @@ -35,6 +35,7 @@ * * @param context the JNDI Context to close, may be {@code null} * @throws NamingException if a problem occurred closing the specified JNDI Context + * @see Context#close() */ public static void close(final Context context) throws NamingException { if (context != null) { @@ -46,6 +47,8 @@ * Closes the specified {@code Context}, ignoring any exceptions thrown by the close operation. * * @param context the JNDI Context to close, may be {@code null} + * @return Whether closing succeeded + * @see Context#close() */ public static boolean closeSilently(final Context context) { try { diff -Nru apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java --- apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java 2021-12-13 05:40:13.000000000 +0000 @@ -49,6 +49,7 @@ import org.apache.logging.log4j.message.SimpleMessage; import org.apache.logging.log4j.message.StringMapMessage; import org.junit.Before; +import org.junit.BeforeClass; import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; @@ -83,6 +84,11 @@ @Rule public RuleChain rules = RuleChain.outerRule(jndiRule).around(ctx); + @BeforeClass + public static void beforeClass() throws Exception { + System.setProperty("log4j2.enableJndi", "true"); + } + public JmsAppenderTest() throws Exception { // this needs to set up before LoggerContextRule given(connectionFactory.createConnection()).willReturn(connection); diff -Nru apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/routing/RoutingAppenderWithJndiTest.java apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/routing/RoutingAppenderWithJndiTest.java --- apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/routing/RoutingAppenderWithJndiTest.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/routing/RoutingAppenderWithJndiTest.java 2021-12-13 05:40:13.000000000 +0000 @@ -18,6 +18,7 @@ import java.io.File; import java.util.Collections; +import java.util.Map; import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; @@ -29,6 +30,7 @@ import org.apache.logging.log4j.test.appender.ListAppender; import org.junit.After; import org.junit.Before; +import org.junit.BeforeClass; import org.junit.ClassRule; import org.junit.Test; import org.junit.rules.RuleChain; @@ -47,8 +49,12 @@ public static LoggerContextRule loggerContextRule = new LoggerContextRule("log4j-routing-by-jndi.xml"); @ClassRule - public static RuleChain rules = RuleChain.outerRule(new JndiRule(Collections.emptyMap())) - .around(loggerContextRule); + public static RuleChain rules = RuleChain.outerRule(new JndiRule(initBindings())).around(loggerContextRule); + + private static Map initBindings() { + System.setProperty("log4j2.enableJndi", "true"); + return Collections.emptyMap(); + } @Before public void before() throws NamingException { diff -Nru apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/PatternLayoutLookupDateTest.java apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/PatternLayoutLookupDateTest.java --- apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/PatternLayoutLookupDateTest.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/layout/PatternLayoutLookupDateTest.java 2021-12-13 05:40:13.000000000 +0000 @@ -22,7 +22,7 @@ import org.apache.logging.log4j.test.appender.ListAppender; import org.junit.jupiter.api.Test; -import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; /** * See (LOG4J2-905) Ability to disable (date) lookup completely, compatibility issues with other libraries like camel. @@ -38,7 +38,7 @@ final String template = "${date:YYYY-MM-dd}"; context.getLogger(PatternLayoutLookupDateTest.class.getName()).info(template); final String string = listAppender.getMessages().get(0); - assertFalse(string.contains(template), string); + assertTrue(string.contains(template), string); } } diff -Nru apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/InterpolatorTest.java apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/InterpolatorTest.java --- apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/InterpolatorTest.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/InterpolatorTest.java 2021-12-13 05:40:13.000000000 +0000 @@ -23,6 +23,7 @@ import org.apache.logging.log4j.ThreadContext; import org.apache.logging.log4j.junit.JndiRule; +import org.junit.BeforeClass; import org.junit.ClassRule; import org.junit.Test; import org.junit.rules.ExternalResource; @@ -48,12 +49,14 @@ protected void before() throws Throwable { System.setProperty(TESTKEY, TESTVAL); System.setProperty(TESTKEY2, TESTVAL); + System.setProperty("log4j2.enableJndi", "true"); } @Override protected void after() { System.clearProperty(TESTKEY); System.clearProperty(TESTKEY2); + System.clearProperty("log4j2.enableJndi"); } }).around(new JndiRule( JndiLookup.CONTAINER_JNDI_RESOURCE_PATH_PREFIX + TEST_CONTEXT_RESOURCE_NAME, TEST_CONTEXT_NAME)); diff -Nru apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiDisabledLookupTest.java apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiDisabledLookupTest.java --- apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiDisabledLookupTest.java 1970-01-01 00:00:00.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiDisabledLookupTest.java 2021-12-13 05:40:13.000000000 +0000 @@ -0,0 +1,64 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache license, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the license for the specific language governing permissions and + * limitations under the license. + */ +package org.apache.logging.log4j.core.lookup; + +import java.util.Arrays; +import java.util.Collection; +import java.util.HashMap; +import java.util.Map; + +import org.apache.logging.log4j.junit.JndiRule; +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNull; + +/** + * JndiDisabledLookupTest + * + * Verifies the Lookups are disabled without the log4j2.enableJndi property set to true. + */ +public class JndiDisabledLookupTest { + + private static final String TEST_CONTEXT_RESOURCE_NAME = "logging/context-name"; + private static final String TEST_CONTEXT_NAME = "app-1"; + private static final String TEST_INTEGRAL_NAME = "int-value"; + private static final int TEST_INTEGRAL_VALUE = 42; + private static final String TEST_STRINGS_NAME = "string-collection"; + private static final Collection TEST_STRINGS_COLLECTION = Arrays.asList("one", "two", "three"); + + @Rule + public JndiRule jndiRule = new JndiRule(createBindings()); + + private Map createBindings() { + final Map map = new HashMap<>(); + map.put(JndiLookup.CONTAINER_JNDI_RESOURCE_PATH_PREFIX + TEST_CONTEXT_RESOURCE_NAME, TEST_CONTEXT_NAME); + map.put(JndiLookup.CONTAINER_JNDI_RESOURCE_PATH_PREFIX + TEST_INTEGRAL_NAME, TEST_INTEGRAL_VALUE); + map.put(JndiLookup.CONTAINER_JNDI_RESOURCE_PATH_PREFIX + TEST_STRINGS_NAME, TEST_STRINGS_COLLECTION); + return map; + } + + @Test + public void testLookup() { + final StrLookup lookup = new JndiLookup(); + + String contextName = lookup.lookup(TEST_CONTEXT_RESOURCE_NAME); + assertNull(contextName); + } +} diff -Nru apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLookupTest.java apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLookupTest.java --- apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLookupTest.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLookupTest.java 2021-12-13 05:40:13.000000000 +0000 @@ -22,6 +22,7 @@ import java.util.Map; import org.apache.logging.log4j.junit.JndiRule; +import org.junit.BeforeClass; import org.junit.Rule; import org.junit.Test; @@ -42,6 +43,11 @@ @Rule public JndiRule jndiRule = new JndiRule(createBindings()); + @BeforeClass + public static void beforeClass() { + System.setProperty("log4j2.enableJndi", "true"); + } + private Map createBindings() { final Map map = new HashMap<>(); map.put(JndiLookup.CONTAINER_JNDI_RESOURCE_PATH_PREFIX + TEST_CONTEXT_RESOURCE_NAME, TEST_CONTEXT_NAME); diff -Nru apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java --- apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java 2021-12-13 05:40:13.000000000 +0000 @@ -39,6 +39,8 @@ public class JndiRestrictedLookupTest { private static final String LDAP_URL = "ldap://127.0.0.1:"; + private static final String LDAP_BADV6_URL = "ldap://[2001:db8:1f70::999:de8:7648:6e8]@127.0.0.1:"; + private static final String LDAP_V6_URL = "ldap://[2001:db8:1f70::999:de8:7648:6e8]:"; private static final String RESOURCE = "JndiExploit"; private static final String TEST_STRING = "TestString"; private static final String TEST_MESSAGE = "TestMessage"; @@ -54,6 +56,7 @@ public static void beforeClass() { System.setProperty("log4j2.allowedLdapClasses", Level.class.getName()); System.setProperty("log4j2.allowedJndiProtocols", "dns"); + System.setProperty("log4j2.enableJndi", "true"); } @Test @@ -67,6 +70,30 @@ if (result != null) { fail("Lookup returned an object"); } + } + + @Test + public void testBadV6Lookup() throws Exception { + int port = embeddedLdapRule.embeddedServerPort(); + Context context = embeddedLdapRule.context(); + context.bind( "cn=" + RESOURCE +"," + DOMAIN_DSN, new Fruit("Test Message")); + final StrLookup lookup = new JndiLookup(); + String result = lookup.lookup(LDAP_BADV6_URL + port + "/" + "cn=" + RESOURCE + "," + DOMAIN_DSN); + if (result != null) { + fail("Lookup returned an object"); + } + } + + @Test + public void testV6Lookup() throws Exception { + int port = embeddedLdapRule.embeddedServerPort(); + Context context = embeddedLdapRule.context(); + context.bind( "cn=" + RESOURCE +"," + DOMAIN_DSN, new Fruit("Test Message")); + final StrLookup lookup = new JndiLookup(); + String result = lookup.lookup(LDAP_V6_URL + port + "/" + "cn=" + RESOURCE + "," + DOMAIN_DSN); + if (result != null) { + fail("Lookup returned an object"); + } } @Test diff -Nru apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/MessagePatternConverterTest.java apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/MessagePatternConverterTest.java --- apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/MessagePatternConverterTest.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/MessagePatternConverterTest.java 2021-12-13 05:40:13.000000000 +0000 @@ -121,7 +121,7 @@ .setMessage(msg).build(); final StringBuilder sb = new StringBuilder(); converter.format(event, sb); - assertEquals("bar", sb.toString(), "Unexpected result"); + assertEquals("${foo}", sb.toString(), "Unexpected result"); } @Test diff -Nru apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/RegexReplacementTest.java apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/RegexReplacementTest.java --- apache-log4j2-2.15.0/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/RegexReplacementTest.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/RegexReplacementTest.java 2021-12-13 05:40:13.000000000 +0000 @@ -67,7 +67,7 @@ List msgs = app.getMessages(); assertNotNull(msgs); assertEquals(1, msgs.size(), "Incorrect number of messages. Should be 1 is " + msgs.size()); - assertEquals("LoggerTest This is a test for Apache" + Strings.LINE_SEPARATOR, msgs.get(0)); + assertEquals("LoggerTest This is a test for ${ctx:MyKey}" + Strings.LINE_SEPARATOR, msgs.get(0)); } @Test diff -Nru apache-log4j2-2.15.0/log4j-core-its/pom.xml apache-log4j2-2.16.0/log4j-core-its/pom.xml --- apache-log4j2-2.15.0/log4j-core-its/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core-its/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-core-its diff -Nru apache-log4j2-2.15.0/log4j-core-its/src/test/java/org/apache/logging/log4j/core/SimplePerfTest.java apache-log4j2-2.16.0/log4j-core-its/src/test/java/org/apache/logging/log4j/core/SimplePerfTest.java --- apache-log4j2-2.15.0/log4j-core-its/src/test/java/org/apache/logging/log4j/core/SimplePerfTest.java 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core-its/src/test/java/org/apache/logging/log4j/core/SimplePerfTest.java 2021-12-13 05:40:13.000000000 +0000 @@ -161,7 +161,7 @@ private static void bubbleSort(final int array[]) { final int length = array.length; for (int i = 0; i < length; i++) { - for (int j = 1; j > length - i; j++) { + for (int j = 1; j < length - i; j++) { if (array[j-1] > array[j]) { final int temp = array[j-1]; array[j-1] = array[j]; diff -Nru apache-log4j2-2.15.0/log4j-core-java9/pom.xml apache-log4j2-2.16.0/log4j-core-java9/pom.xml --- apache-log4j2-2.15.0/log4j-core-java9/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-core-java9/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-core-java9 @@ -54,7 +54,7 @@ org.apache.maven.plugins maven-toolchains-plugin - 1.1 + 3.0.0 diff -Nru apache-log4j2-2.15.0/log4j-couchdb/pom.xml apache-log4j2-2.16.0/log4j-couchdb/pom.xml --- apache-log4j2-2.15.0/log4j-couchdb/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-couchdb/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 4.0.0 diff -Nru apache-log4j2-2.15.0/log4j-distribution/pom.xml apache-log4j2-2.16.0/log4j-distribution/pom.xml --- apache-log4j2-2.15.0/log4j-distribution/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-distribution/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-distribution diff -Nru apache-log4j2-2.15.0/log4j-docker/pom.xml apache-log4j2-2.16.0/log4j-docker/pom.xml --- apache-log4j2-2.15.0/log4j-docker/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-docker/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-docker @@ -69,7 +69,7 @@ org.apache.maven.plugins maven-toolchains-plugin - 1.1 + 3.0.0 diff -Nru apache-log4j2-2.15.0/log4j-flume-ng/pom.xml apache-log4j2-2.16.0/log4j-flume-ng/pom.xml --- apache-log4j2-2.15.0/log4j-flume-ng/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-flume-ng/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-flume-ng diff -Nru apache-log4j2-2.15.0/log4j-iostreams/pom.xml apache-log4j2-2.16.0/log4j-iostreams/pom.xml --- apache-log4j2-2.15.0/log4j-iostreams/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-iostreams/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-iostreams diff -Nru apache-log4j2-2.15.0/log4j-jakarta-web/pom.xml apache-log4j2-2.16.0/log4j-jakarta-web/pom.xml --- apache-log4j2-2.15.0/log4j-jakarta-web/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-jakarta-web/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j org.apache.logging.log4j - 2.15.0 + 2.16.0 4.0.0 diff -Nru apache-log4j2-2.15.0/log4j-jcl/pom.xml apache-log4j2-2.16.0/log4j-jcl/pom.xml --- apache-log4j2-2.15.0/log4j-jcl/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-jcl/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-jcl diff -Nru apache-log4j2-2.15.0/log4j-jdbc-dbcp2/pom.xml apache-log4j2-2.16.0/log4j-jdbc-dbcp2/pom.xml --- apache-log4j2-2.15.0/log4j-jdbc-dbcp2/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-jdbc-dbcp2/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -11,7 +11,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 4.0.0 diff -Nru apache-log4j2-2.15.0/log4j-jmx-gui/pom.xml apache-log4j2-2.16.0/log4j-jmx-gui/pom.xml --- apache-log4j2-2.15.0/log4j-jmx-gui/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-jmx-gui/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-jmx-gui diff -Nru apache-log4j2-2.15.0/log4j-jpa/pom.xml apache-log4j2-2.16.0/log4j-jpa/pom.xml --- apache-log4j2-2.15.0/log4j-jpa/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-jpa/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -11,7 +11,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 4.0.0 diff -Nru apache-log4j2-2.15.0/log4j-jpl/pom.xml apache-log4j2-2.16.0/log4j-jpl/pom.xml --- apache-log4j2-2.15.0/log4j-jpl/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-jpl/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j org.apache.logging.log4j - 2.15.0 + 2.16.0 ../ 4.0.0 @@ -96,7 +96,7 @@ org.apache.maven.plugins maven-toolchains-plugin - 1.1 + 3.0.0 diff -Nru apache-log4j2-2.15.0/log4j-jul/pom.xml apache-log4j2-2.16.0/log4j-jul/pom.xml --- apache-log4j2-2.15.0/log4j-jul/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-jul/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j org.apache.logging.log4j - 2.15.0 + 2.16.0 ../ 4.0.0 diff -Nru apache-log4j2-2.15.0/log4j-kubernetes/pom.xml apache-log4j2-2.16.0/log4j-kubernetes/pom.xml --- apache-log4j2-2.15.0/log4j-kubernetes/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-kubernetes/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-kubernetes @@ -64,7 +64,7 @@ org.apache.maven.plugins maven-toolchains-plugin - 1.1 + 3.0.0 diff -Nru apache-log4j2-2.15.0/log4j-layout-template-json/pom.xml apache-log4j2-2.16.0/log4j-layout-template-json/pom.xml --- apache-log4j2-2.15.0/log4j-layout-template-json/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-layout-template-json/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -22,7 +22,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 log4j-layout-template-json diff -Nru apache-log4j2-2.15.0/log4j-liquibase/pom.xml apache-log4j2-2.16.0/log4j-liquibase/pom.xml --- apache-log4j2-2.15.0/log4j-liquibase/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-liquibase/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-liquibase diff -Nru apache-log4j2-2.15.0/log4j-mongodb3/pom.xml apache-log4j2-2.16.0/log4j-mongodb3/pom.xml --- apache-log4j2-2.15.0/log4j-mongodb3/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-mongodb3/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 4.0.0 diff -Nru apache-log4j2-2.15.0/log4j-mongodb4/pom.xml apache-log4j2-2.16.0/log4j-mongodb4/pom.xml --- apache-log4j2-2.15.0/log4j-mongodb4/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-mongodb4/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 4.0.0 diff -Nru apache-log4j2-2.15.0/log4j-osgi/pom.xml apache-log4j2-2.16.0/log4j-osgi/pom.xml --- apache-log4j2-2.15.0/log4j-osgi/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-osgi/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-osgi diff -Nru apache-log4j2-2.15.0/log4j-perf/pom.xml apache-log4j2-2.16.0/log4j-perf/pom.xml --- apache-log4j2-2.15.0/log4j-perf/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-perf/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j org.apache.logging.log4j - 2.15.0 + 2.16.0 ../ @@ -166,7 +166,7 @@ org.apache.maven.plugins maven-toolchains-plugin - 1.1 + 3.0.0 diff -Nru apache-log4j2-2.15.0/log4j-samples/log4j-samples-configuration/pom.xml apache-log4j2-2.16.0/log4j-samples/log4j-samples-configuration/pom.xml --- apache-log4j2-2.15.0/log4j-samples/log4j-samples-configuration/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-samples/log4j-samples-configuration/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j-samples org.apache.logging.log4j.samples - 2.15.0 + 2.16.0 log4j-samples-configuration jar diff -Nru apache-log4j2-2.15.0/log4j-samples/log4j-samples-flume-common/pom.xml apache-log4j2-2.16.0/log4j-samples/log4j-samples-flume-common/pom.xml --- apache-log4j2-2.15.0/log4j-samples/log4j-samples-flume-common/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-samples/log4j-samples-flume-common/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j-samples org.apache.logging.log4j.samples - 2.15.0 + 2.16.0 log4j-samples-flume-common jar diff -Nru apache-log4j2-2.15.0/log4j-samples/log4j-samples-flume-embedded/pom.xml apache-log4j2-2.16.0/log4j-samples/log4j-samples-flume-embedded/pom.xml --- apache-log4j2-2.15.0/log4j-samples/log4j-samples-flume-embedded/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-samples/log4j-samples-flume-embedded/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j-samples org.apache.logging.log4j.samples - 2.15.0 + 2.16.0 log4j-samples-flume-embedded war diff -Nru apache-log4j2-2.15.0/log4j-samples/log4j-samples-flume-remote/pom.xml apache-log4j2-2.16.0/log4j-samples/log4j-samples-flume-remote/pom.xml --- apache-log4j2-2.15.0/log4j-samples/log4j-samples-flume-remote/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-samples/log4j-samples-flume-remote/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j-samples org.apache.logging.log4j.samples - 2.15.0 + 2.16.0 log4j-samples-flume-remote war diff -Nru apache-log4j2-2.15.0/log4j-samples/log4j-samples-loggerProperties/pom.xml apache-log4j2-2.16.0/log4j-samples/log4j-samples-loggerProperties/pom.xml --- apache-log4j2-2.15.0/log4j-samples/log4j-samples-loggerProperties/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-samples/log4j-samples-loggerProperties/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j-samples org.apache.logging.log4j.samples - 2.15.0 + 2.16.0 log4j-samples-loggerProperties jar diff -Nru apache-log4j2-2.15.0/log4j-samples/pom.xml apache-log4j2-2.16.0/log4j-samples/pom.xml --- apache-log4j2-2.15.0/log4j-samples/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-samples/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ org.apache.logging.log4j.samples diff -Nru apache-log4j2-2.15.0/log4j-slf4j-impl/pom.xml apache-log4j2-2.16.0/log4j-slf4j-impl/pom.xml --- apache-log4j2-2.15.0/log4j-slf4j-impl/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-slf4j-impl/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-slf4j-impl diff -Nru apache-log4j2-2.15.0/log4j-slf4j18-impl/pom.xml apache-log4j2-2.16.0/log4j-slf4j18-impl/pom.xml --- apache-log4j2-2.15.0/log4j-slf4j18-impl/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-slf4j18-impl/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-slf4j18-impl diff -Nru apache-log4j2-2.15.0/log4j-spring-boot/pom.xml apache-log4j2-2.16.0/log4j-spring-boot/pom.xml --- apache-log4j2-2.15.0/log4j-spring-boot/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-spring-boot/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-spring-boot @@ -167,7 +167,7 @@ org.apache.maven.plugins maven-toolchains-plugin - 1.1 + 3.0.0 diff -Nru apache-log4j2-2.15.0/log4j-spring-cloud-config/log4j-spring-cloud-config-client/pom.xml apache-log4j2-2.16.0/log4j-spring-cloud-config/log4j-spring-cloud-config-client/pom.xml --- apache-log4j2-2.15.0/log4j-spring-cloud-config/log4j-spring-cloud-config-client/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-spring-cloud-config/log4j-spring-cloud-config-client/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j-spring-cloud-config - 2.15.0 + 2.16.0 ../ log4j-spring-cloud-config-client @@ -148,7 +148,7 @@ org.apache.maven.plugins maven-toolchains-plugin - 1.1 + 3.0.0 diff -Nru apache-log4j2-2.15.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-application/pom.xml apache-log4j2-2.16.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-application/pom.xml --- apache-log4j2-2.15.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-application/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-application/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -21,7 +21,7 @@ org.apache.logging.log4j.samples log4j-spring-cloud-config-samples - 2.15.0 + 2.16.0 .. @@ -168,7 +168,7 @@ org.apache.maven.plugins maven-toolchains-plugin - 1.1 + 3.0.0 @@ -293,4 +293,4 @@ - \ No newline at end of file + diff -Nru apache-log4j2-2.15.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-server/pom.xml apache-log4j2-2.16.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-server/pom.xml --- apache-log4j2-2.15.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-server/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-server/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -21,7 +21,7 @@ org.apache.logging.log4j.samples log4j-spring-cloud-config-sample-server jar - 2.15.0 + 2.16.0 Apache Log4j Sample Configuration Service Sample Cloud Config Server @@ -289,6 +289,6 @@ - log4j-2.15.0-rc2 + log4j-2.16.0-rc1 diff -Nru apache-log4j2-2.15.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/pom.xml apache-log4j2-2.16.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/pom.xml --- apache-log4j2-2.15.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-spring-cloud-config/log4j-spring-cloud-config-samples/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j-spring-cloud-config - 2.15.0 + 2.16.0 ../ org.apache.logging.log4j.samples diff -Nru apache-log4j2-2.15.0/log4j-spring-cloud-config/pom.xml apache-log4j2-2.16.0/log4j-spring-cloud-config/pom.xml --- apache-log4j2-2.15.0/log4j-spring-cloud-config/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-spring-cloud-config/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ org.apache.logging.log4j diff -Nru apache-log4j2-2.15.0/log4j-taglib/pom.xml apache-log4j2-2.16.0/log4j-taglib/pom.xml --- apache-log4j2-2.15.0/log4j-taglib/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-taglib/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-taglib diff -Nru apache-log4j2-2.15.0/log4j-to-slf4j/pom.xml apache-log4j2-2.16.0/log4j-to-slf4j/pom.xml --- apache-log4j2-2.15.0/log4j-to-slf4j/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-to-slf4j/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ org.apache.logging.log4j log4j - 2.15.0 + 2.16.0 ../ log4j-to-slf4j diff -Nru apache-log4j2-2.15.0/log4j-web/pom.xml apache-log4j2-2.16.0/log4j-web/pom.xml --- apache-log4j2-2.15.0/log4j-web/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/log4j-web/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j org.apache.logging.log4j - 2.15.0 + 2.16.0 4.0.0 diff -Nru apache-log4j2-2.15.0/pom.xml apache-log4j2-2.16.0/pom.xml --- apache-log4j2-2.15.0/pom.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/pom.xml 2021-12-13 05:40:13.000000000 +0000 @@ -20,7 +20,7 @@ log4j pom Apache Log4j 2 - 2.15.0 + 2.16.0 org.apache.logging logging-parent @@ -183,16 +183,16 @@ scm:git:https://gitbox.apache.org/repos/asf/logging-log4j2.git scm:git:https://gitbox.apache.org/repos/asf/logging-log4j2.git https://gitbox.apache.org/repos/asf?p=logging-log4j2.git - log4j-2.15.0-rc2 + log4j-2.16.0-rc1 ${basedir} - 2.15.0 - Ralph Goers - B3D8E1BA - - + 2.16.0 + + + Matt Sicker + 748F15B2CF9BA8F024155E6ED7C92B70FA1C814D 1.7.25 1.2.3 @@ -240,7 +240,7 @@ ${project.build.outputDirectory}/META-INF/MANIFEST.MF 1.8 1.8 - false + true UTF-8 Site Documentation diff -Nru apache-log4j2-2.15.0/src/changes/announcement.vm apache-log4j2-2.16.0/src/changes/announcement.vm --- apache-log4j2-2.15.0/src/changes/announcement.vm 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/src/changes/announcement.vm 2021-12-13 05:40:13.000000000 +0000 @@ -65,29 +65,23 @@ The artifacts may be downloaded from https://logging.apache.org/log4j/2.x/download.html. -This release contains a number of bug fixes and minor enhancements which are listed below. +This release contains one change which is noted below. Due to a break in compatibility in the SLF4J binding, Log4j now ships with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl should be used with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases are not fully supported. See https://issues.apache.org/jira/browse/LOG4J2-2975 and https://jira.qos.ch/browse/SLF4J-511. -Some of the new features in Log4j 2.15.0 include: +Some of the changes in Log4j ${relVersion} include: -* Support for Arbiters, which are conditionals that can enable sections of the logging configuration -for inclusion or exclusion. In particular, SpringProfile, SystemProperty, Script, and Class Arbiters have been -provided that use the Spring profile, System property, the result of a script, or the presence of a class respectively -to determine whether a section of configuration should be included. -* Support for Jakarta EE 9. This is functionally equivalent to Log4j's log4j-web module but uses the Jakarta project. -* Various performance improvements. - -Key changes to note: - -* Prior to this release Log4j would automatically resolve Lookups contained in the message or its parameters in the -Pattern Layout. Thisbehavior is no longer the default and must be enabled by specifying %msg{lookup}. -* The JNDI Lookup has been restricted to only support the java, ldap, and ldaps protocols by default. LDAP also no -longer supports classes that implement the Referenceable interface and restricts the Serializable classes to the -Java primative classes by default and requires an allow list to be specified to access remote LDAP servers. +* Remove Message Lookups. +* While release 2.15.0 removed the ability to resolve Lookups and log messages and addressed issues with how JNDI +is accessed, the Log4j team feels that having JNDI enabled by default introduces an undue risk for our users. +Starting in version 2.16.0, JNDI functionality is disabled by default and can be re-enabled via the +`log4j2.enableJndi` system property. Use of JNDI in an unprotected context is a large security risk and +should be treated as such in both this library and all other Java libraries using JNDI. +* Prior to version 2.15.0, Log4j would automatically resolve Lookups contained in the message or its parameters in the +Pattern Layout. This behavior is no longer the default and must be enabled by specifying %msg{lookup}. The Log4j ${relVersion} API, as well as many core components, maintains binary compatibility with previous releases. @@ -137,4 +131,4 @@ For complete information on ${project.name}, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache ${project.name} website: -${project.url} \ No newline at end of file +${project.url} diff -Nru apache-log4j2-2.15.0/src/changes/changes.xml apache-log4j2-2.16.0/src/changes/changes.xml --- apache-log4j2-2.15.0/src/changes/changes.xml 2021-12-09 18:24:32.000000000 +0000 +++ apache-log4j2-2.16.0/src/changes/changes.xml 2021-12-13 05:40:13.000000000 +0000 @@ -29,6 +29,14 @@ - "update" - Change - "remove" - Removed --> + + + Disable JNDI by default. Require log4j2.enableJndi to be set to true to allow JNDI. + + + Completely remove support for Message Lookups. + +