release: final apache: true title: 3.2.1 date: 2021-12-22 summary: > Patch release supercedes 3.2.0. Provides updated dependencies to fix CVE-2021-44228 (Log4J), CVE-2021-45105 (Log4J), and CVE-2021-33813 (JDOM). Fixes unparse checksum and CRC capability (JIRA DAFFODIL-2609) Otherwise contains all the same functionality as Release 3.2.0 which it replaces.

source-dist: - “apache-daffodil-3.2.1-src.zip”

binary-dist: - “apache-daffodil-3.2.1-bin.tgz” - “apache-daffodil-3.2.1-bin.zip” - “apache-daffodil-3.2.1-bin.msi” - “apache-daffodil-3.2.1-1.noarch.rpm”

scala-version: 2.12

This release is a patch on top of Release 3.2.0 to improve security and fix a major functional bug.

The Release Notes for 3.2.0 are still relevant to understand the features and functionality in this 3.2.1 patch release.

Security Improvements

This release fixes three security CVEs by updating dependency versions.

  • {% jira 2610 %} Update log4J dependency to fix CVE-2021-44228 and CVE-2021-45105
  • {% jira 2611 %} Update JDOM dependency to fix CVE-2021-33813

Functional Improvements

A major feature, layering transforms with checksum/CRC capability, which was planned for the prior release (3.2.0) was found to be buggy when unparsing. This has been fixed.

  • {% jira 2608 %} PCAP fails with Daf 3.2.0 and IPv4 layers with checksum

Miscellaneous Changes

  • {% jira 2577 %} remove Info message about compiler component counts
  • {% jira 2145 %} Add scalac warnings
  • {% jira 2592 %} Move the daffodil_program_version variable outside of generated_code.c
  • {% jira 2534 %} Update ICU version - verify Daffodil impact of bug issue identified by IBM
  • {% jira 2587 %} dfdlx:lookAhead compiler error if used in default value of dfdl:newVariableInstance
  • {% jira 2600 %} encoding varies with environment - UTF-8 not properly set somewhere
  • {% jira 2602 %} Daffodil uses different versions of log4j-api and log4j-core

Deprecation/Compatibility

There are no deprecations. This release is fully compatible with all functionality of the prior release.

Dependency Changes

The following dependencies have been added or updated

Core

  • Log4j core 2.17.0 (update)
  • Log4j api 2.17.0 (update)
  • JDOM2 2.0.6.1 (update)

Code Generator

  • OS-Lib 0.8.0 (update)