RELEASE-NOTES.txt - logging-log4j2 - Git at Google


               Apache Log4j 2.3.2 RELEASE NOTES

 The Apache Log4j 2 team is pleased to announce the Log4j 2.3.2 release!

 Apache log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade to
 Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides
 many other modern features such as support for Markers, property substitution using Lookups, and asynchronous
 Loggers. In addition, Log4j 2 will not lose events while reconfiguring.

 The major changes contained in this release include:

 * Address CVE-2021-45046 and CVE-2021-45105 by disabling recursive evaluation of Lookups during log event processing. Recursive evaluation is still allowed while generating the configuration.
 * Adddress CVE-2021-44882 by removing processing of Lookups in the Message Pattern Converter of the Pattern Layout and
 preventing JNDI operations to use any protocols other than java.
 * The JndiLookup, JndiContextSelector, and JMSAppender now require individual system properties to be enabled.

 The JNDI components are now disabled by default and may separately be enabled with three individual properties; log4j2.enableJndiContextSelector, log4j2.enableJndiJms, and log4j2.enableJndiLookup.

 GA Release 2.3.2

 Changes in this version include:


 Fixed Bugs:
 o LOG4J2-3293:  JDBC Appender should use JNDI Manager and JNDI access should be limited.
         Backport fix for CVE-2021-44832.
 o LOG4J2-2819:  Add support for specifying an SSL configuration for SmtpAppender.
         Backport fix for CVE-2020-9488 to allow SSL/TLS hostname verification.


 Apache Log4j 2.3.2 requires a minimum of Java 6 to build and run. It is not expected that any future Java 6
 releases will be provided.

 Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api component, however it does not implement some of the
 very implementation specific classes and methods. The package names and Maven groupId have been changed to
 org.apache.logging.log4j to avoid any conflicts with log4j 1.x.

 For complete information on Apache Log4j 2, including instructions on how to submit bug reports,
 patches, or suggestions for improvement, see the Apache Apache Log4j 2 website:

 http://logging.apache.org/log4j/2.x/

	Apache Log4j 2.3.2 RELEASE NOTES

	The Apache Log4j 2 team is pleased to announce the Log4j 2.3.2 release!

	Apache log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade to
	Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides
	many other modern features such as support for Markers, property substitution using Lookups, and asynchronous
	Loggers. In addition, Log4j 2 will not lose events while reconfiguring.

	The major changes contained in this release include:

	* Address CVE-2021-45046 and CVE-2021-45105 by disabling recursive evaluation of Lookups during log event processing. Recursive evaluation is still allowed while generating the configuration.
	* Adddress CVE-2021-44882 by removing processing of Lookups in the Message Pattern Converter of the Pattern Layout and
	preventing JNDI operations to use any protocols other than java.
	* The JndiLookup, JndiContextSelector, and JMSAppender now require individual system properties to be enabled.

	The JNDI components are now disabled by default and may separately be enabled with three individual properties; log4j2.enableJndiContextSelector, log4j2.enableJndiJms, and log4j2.enableJndiLookup.

	GA Release 2.3.2

	Changes in this version include:


	Fixed Bugs:
	o LOG4J2-3293: JDBC Appender should use JNDI Manager and JNDI access should be limited.
	Backport fix for CVE-2021-44832.
	o LOG4J2-2819: Add support for specifying an SSL configuration for SmtpAppender.
	Backport fix for CVE-2020-9488 to allow SSL/TLS hostname verification.



	Apache Log4j 2.3.2 requires a minimum of Java 6 to build and run. It is not expected that any future Java 6
	releases will be provided.

	Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api component, however it does not implement some of the
	very implementation specific classes and methods. The package names and Maven groupId have been changed to
	org.apache.logging.log4j to avoid any conflicts with log4j 1.x.

	For complete information on Apache Log4j 2, including instructions on how to submit bug reports,
	patches, or suggestions for improvement, see the Apache Apache Log4j 2 website:

	http://logging.apache.org/log4j/2.x/