This is an automated email from the ASF dual-hosted git repository.
github-bot pushed a commit to branch main-site-stg-out
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/main-site-stg-out by this push:
new 1ef380d5 Add website content generated from
`5b84615bcd0b584ea4a9d1edc6c29017e968d970`
1ef380d5 is described below
commit 1ef380d5d512f44949f8b4551a3da179bc4587a5
Author: ASF Logging Services RM <[email protected]>
AuthorDate: Wed Mar 25 19:40:18 2026 +0000
Add website content generated from
`5b84615bcd0b584ea4a9d1edc6c29017e968d970`
---
_/css/site.css | 2 +-
_/js/site.js | 3 +-
blog/20231117-flume-joins-logging-services.html | 6 +
blog/20231128-new-pmc-member.html | 6 +
blog/20231202-apache-common-logging-1.3.0.html | 6 +
blog/20231214-announcing-support-from-the-stf.html | 6 +
blog/20231218-20-years-of-innovation.html | 6 +
...20240725-Log4j-At-Community-Over-Code-2024.html | 6 +
blog/20240808-welcome-to-the-pmc-jan.html | 6 +
blog/20240812-log4j-bug-bounty.html | 6 +
blog/20250728-introduction-to-vex-files.html | 6 +
blog/index.html | 6 +
charter.html | 6 +
download.html | 6 +
guidelines.html | 6 +
index.html | 6 +
processes.html | 6 +
security.html | 19 +
security/faq.html | 451 +++++++++++++++++++++
sitemap.xml | 44 +-
support.html | 6 +
team-list.html | 6 +
what-is-logging.html | 6 +
xml/ns/index.html | 6 +
24 files changed, 611 insertions(+), 22 deletions(-)
diff --git a/_/css/site.css b/_/css/site.css
index 63c0c7de..980f8b4a 100644
--- a/_/css/site.css
+++ b/_/css/site.css
@@ -1,3 +1,3 @@
-@font-face{font-family:Roboto;font-style:normal;font-weight:400;src:url(../font/roboto-latin-400-normal.woff2)
format("woff2"),url(../font/roboto-latin-400-normal.woff)
format("woff");unicode-range:U+00??,U+0131,U+0152-0153,U+02bb-02bc,U+02c6,U+02da,U+02dc,U+2000-206f,U+2074,U+20ac,U+2122,U+2191,U+2193,U+2212,U+2215,U+feff,U+fffd}@font-face{font-family:Roboto;font-style:normal;font-weight:400;src:url(../font/roboto-cyrillic-400-normal.woff2)
format("woff2");unicode-range:U+0301,U+0400-04 [...]
+@font-face{font-family:Roboto;font-style:normal;font-weight:400;src:url(../font/roboto-latin-400-normal.woff2)
format("woff2"),url(../font/roboto-latin-400-normal.woff)
format("woff");unicode-range:U+00??,U+0131,U+0152-0153,U+02bb-02bc,U+02c6,U+02da,U+02dc,U+2000-206f,U+2074,U+20ac,U+2122,U+2191,U+2193,U+2212,U+2215,U+feff,U+fffd}@font-face{font-family:Roboto;font-style:normal;font-weight:400;src:url(../font/roboto-cyrillic-400-normal.woff2)
format("woff2");unicode-range:U+0301,U+0400-04 [...]
/*! Adapted from the GitHub style by Vasily Polovnyov <[email protected]>
*/.hljs-comment,.hljs-quote{color:#998;font-style:italic}.hljs-keyword,.hljs-selector-tag,.hljs-subst{color:#333;font-weight:600}.hljs-literal,.hljs-number,.hljs-tag
.hljs-attr,.hljs-template-variable,.hljs-variable{color:teal}.hljs-doctag,.hljs-string{color:#d14}.hljs-section,.hljs-selector-id,.hljs-title{color:#900;font-weight:600}.hljs-subst{font-weight:400}.hljs-class
.hljs-title,.hljs-type{color:#458;font-wei [...]
\ No newline at end of file
diff --git a/_/js/site.js b/_/js/site.js
index 3177860a..916a120d 100644
--- a/_/js/site.js
+++ b/_/js/site.js
@@ -3,4 +3,5 @@
!function(){"use strict";var
o,i,c=document.querySelector("article.doc");function n(e){return
e&&(~e.indexOf("%")?decodeURIComponent(e):e).slice(1)}function
r(e){if(e){if(e.altKey||e.ctrlKey)return;window.location.hash="#"+this.id,e.preventDefault()}var
t=function n(e,t){return
c.contains(e)?n(e.offsetParent,e.offsetTop+t):t}(this,0)-o.getBoundingClientRect().bottom;!1===e&&i?window.scrollTo({left:0,top:t,behavior:"instant"}):window.scrollTo(0,t)}c&&(o=document.querySelector(".toolbar"),
[...]
!function(){"use strict";var t,e=document.querySelector(".page-versions
.version-menu-toggle");e&&(t=document.querySelector(".page-versions"),e.addEventListener("click",function(e){t.classList.toggle("is-active"),e.stopPropagation()}),document.documentElement.addEventListener("click",function(){t.classList.remove("is-active")}))}();
!function(){"use strict";var
i=document.querySelector(".navbar-burger");i&&i.addEventListener("click",function(t){t.stopPropagation(),document.documentElement.classList.toggle("is-clipped--navbar"),i.setAttribute("aria-expanded",this.classList.toggle("is-active"));t=document.getElementById(this.getAttribute("aria-controls")||this.dataset.target);{var
e;t.classList.toggle("is-active")&&(t.style.maxHeight="",e=window.innerHeight-Math.round(t.getBoundingClientRect().top),parseInt(window.get
[...]
-!function(){"use strict";var o=/^\$ (\S[^\\\n]*(\\\n(?!\$
)[^\\\n]*)*)(?=\n|$)/gm,s=/( ) *\\\n *|\\\n( ?) */g,l=/
+$/gm,e=(document.getElementById("site-script")||{dataset:{}}).dataset,d=window.navigator.clipboard,r=e.svgAs,p=(null==e.uiRootPath?window:e).uiRootPath||".";[].slice.call(document.querySelectorAll(".doc
pre.highlight, .doc .literalblock pre")).forEach(function(e){var
t,n,a,c;if(e.classList.contains("highlight"))(i=(t=e.querySelector("code")).dataset.lang)&&"console"!==i&&((a
[...]
\ No newline at end of file
+!function(){"use strict";var o=/^\$ (\S[^\\\n]*(\\\n(?!\$
)[^\\\n]*)*)(?=\n|$)/gm,s=/( ) *\\\n *|\\\n( ?) */g,l=/
+$/gm,e=(document.getElementById("site-script")||{dataset:{}}).dataset,d=window.navigator.clipboard,r=e.svgAs,p=(null==e.uiRootPath?window:e).uiRootPath||".";[].slice.call(document.querySelectorAll(".doc
pre.highlight, .doc .literalblock pre")).forEach(function(e){var
t,n,a,c;if(e.classList.contains("highlight"))(i=(t=e.querySelector("code")).dataset.lang)&&"console"!==i&&((a
[...]
+!function(){"use strict";function
i(e,t,r){if(e.scrollHeight!==e.getBoundingClientRect().height)for(t=t.slice(1,-1).reverse();t.length&&e.scrollHeight>e.getBoundingClientRect().height;){var
i,n=t.pop(),l=(n=n.querySelector("a")||n).innerText.trim();l.length>r&&(n.setAttribute("title",l),i=l.slice(0,i=r-3)+("
"===l.charAt(i)?" ":"")+"...",n.innerText=i)}}var
e,t,r;!(r=document.querySelector(".toolbar"))||(e=Array.prototype.slice.call(r.querySelectorAll(".breadcrumbs
li")||[])).length<3||( [...]
\ No newline at end of file
diff --git a/blog/20231117-flume-joins-logging-services.html
b/blog/20231117-flume-joins-logging-services.html
index 7d8ca861..6f4601f1 100644
--- a/blog/20231117-flume-joins-logging-services.html
+++ b/blog/20231117-flume-joins-logging-services.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
diff --git a/blog/20231128-new-pmc-member.html
b/blog/20231128-new-pmc-member.html
index 6f55ad8b..32580414 100644
--- a/blog/20231128-new-pmc-member.html
+++ b/blog/20231128-new-pmc-member.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
diff --git a/blog/20231202-apache-common-logging-1.3.0.html
b/blog/20231202-apache-common-logging-1.3.0.html
index 5307dc35..1aa4e94d 100644
--- a/blog/20231202-apache-common-logging-1.3.0.html
+++ b/blog/20231202-apache-common-logging-1.3.0.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
diff --git a/blog/20231214-announcing-support-from-the-stf.html
b/blog/20231214-announcing-support-from-the-stf.html
index b7cb1b85..6ad9c262 100644
--- a/blog/20231214-announcing-support-from-the-stf.html
+++ b/blog/20231214-announcing-support-from-the-stf.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
diff --git a/blog/20231218-20-years-of-innovation.html
b/blog/20231218-20-years-of-innovation.html
index 05e90e6a..ef01037b 100644
--- a/blog/20231218-20-years-of-innovation.html
+++ b/blog/20231218-20-years-of-innovation.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
diff --git a/blog/20240725-Log4j-At-Community-Over-Code-2024.html
b/blog/20240725-Log4j-At-Community-Over-Code-2024.html
index c0e910a9..fa4af12b 100644
--- a/blog/20240725-Log4j-At-Community-Over-Code-2024.html
+++ b/blog/20240725-Log4j-At-Community-Over-Code-2024.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
diff --git a/blog/20240808-welcome-to-the-pmc-jan.html
b/blog/20240808-welcome-to-the-pmc-jan.html
index 89824ade..8fba8b45 100644
--- a/blog/20240808-welcome-to-the-pmc-jan.html
+++ b/blog/20240808-welcome-to-the-pmc-jan.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
diff --git a/blog/20240812-log4j-bug-bounty.html
b/blog/20240812-log4j-bug-bounty.html
index 8127402f..7ee7325a 100644
--- a/blog/20240812-log4j-bug-bounty.html
+++ b/blog/20240812-log4j-bug-bounty.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
diff --git a/blog/20250728-introduction-to-vex-files.html
b/blog/20250728-introduction-to-vex-files.html
index 9471546e..66b7bd0a 100644
--- a/blog/20250728-introduction-to-vex-files.html
+++ b/blog/20250728-introduction-to-vex-files.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
diff --git a/blog/index.html b/blog/index.html
index 82629a64..b90a9ea2 100644
--- a/blog/index.html
+++ b/blog/index.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
diff --git a/charter.html b/charter.html
index 0cc0d841..5527bbb8 100644
--- a/charter.html
+++ b/charter.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="xml/ns/index.html">XML Schema</a>
diff --git a/download.html b/download.html
index f472849a..a0cd138d 100644
--- a/download.html
+++ b/download.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="xml/ns/index.html">XML Schema</a>
diff --git a/guidelines.html b/guidelines.html
index 819be5a6..e9df3ffe 100644
--- a/guidelines.html
+++ b/guidelines.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="xml/ns/index.html">XML Schema</a>
diff --git a/index.html b/index.html
index a06c0694..acd96343 100644
--- a/index.html
+++ b/index.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="xml/ns/index.html">XML Schema</a>
diff --git a/processes.html b/processes.html
index f2801b4c..49911a92 100644
--- a/processes.html
+++ b/processes.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="xml/ns/index.html">XML Schema</a>
diff --git a/security.html b/security.html
index 9145ea6f..f130c639 100644
--- a/security.html
+++ b/security.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="support.html">Support</a>
</li>
<li class="nav-item is-current-page" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="xml/ns/index.html">XML Schema</a>
@@ -211,6 +217,19 @@ These instructions can be found in
<code>BUILDING.adoc</code>, <code>BUILDING.md
<p>We urge you to <strong>carefully read the threat model</strong> detailed in
following sections before submitting a report.
It guides users on certain safety instructions while using Logging Services
software and elaborates on what counts as an unexpected behaviour that has a
security impact.</p>
</div>
+<div class="paragraph">
+<p>Before reporting a vulnerability, please make sure to check:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>The <a href="security/faq.html" class="xref page">FAQ</a> for frequently
reported issues that are not considered vulnerabilities.</p>
+</li>
+<li>
+<p>The list of <a href="#vulnerabilities">known vulnerabilities</a> to check
if the issue has already been reported.</p>
+</li>
+</ul>
+</div>
</td>
</tr>
</table>
diff --git a/security/faq.html b/security/faq.html
new file mode 100644
index 00000000..4e8c730f
--- /dev/null
+++ b/security/faq.html
@@ -0,0 +1,451 @@
+<!DOCTYPE html>
+<html lang="en">
+ <head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width,initial-scale=1">
+ <title>Frequently Reported Vulnerabilities :: Apache Logging
Services</title>
+ <link rel="canonical" href="https://logging.apache.org/security/faq.html";>
+ <meta name="generator" content="Antora 3.2.0-alpha.11">
+<link rel="stylesheet" href="../_/css/site.css">
+<link rel="icon" href="../_/../_images/favicon.ico" type="image/x-icon">
+<!-- `@asciidoctor/tabs` extension styles -->
+<link rel="stylesheet" href="../_/css/vendor/tabs.css">
+<style>
+ /* Swap colors of `IMPORTANT` and `WARNING` blocks */
+ .doc .admonitionblock.important .icon { background-color: #f70; }
+ .doc .admonitionblock.warning .icon { background-color: #e40046; }
+ /* Default `h4`, `h5`, and `h6` are smaller than the normal text, fix header
font sizing: */
+ .doc h1 { font-size: 1.9rem; }
+ .doc h2 { font-size: 1.7rem; }
+ .doc h3 { font-size: 1.5rem; font-weight: 400; }
+ .doc h4 { font-size: 1.3rem; font-weight: 500; }
+ .doc h5 { font-size: 1.1rem; font-weight: 500; text-decoration: underline; }
+ .doc h6 { font-size: 0.9rem; font-weight: 500; text-decoration: underline; }
+ /* Default `code`, `pre`, and `.colist` (source code annotations) fonts are
too big, adjust them: */
+ .doc .colist>table code, .doc p code, .doc thead code { font-size: 0.8em; }
+ .doc pre { font-size: 0.7rem; }
+ .doc .colist { font-size: 0.75rem; }
+ /* Make links more visible: */
+ .doc a { text-decoration: underline; }
+ .doc a code { text-decoration: underline; color: #1565c0; }
+ /* Make nav bar wider */
+ .nav-container { width:19rem; }
+ /* Tab header fonts aren't rendered good, adjusting the font weight: */
+ .tablist > ul li { font-weight: 500; }
+ /* `page-toclevels` greater than 4 are not supported by Antora UI, patching
it: */
+ .toc .toc-menu li[data-level="4"] a {
+ padding-left: 2.75rem;
+ }
+ /* Replace the default highlight.js color for strings from red
(unnecessarily signaling something negative) to green: */
+ .hljs-string {
+ color: #0f8532;
+ }
+</style>
+ </head>
+ <body class="article">
+<header class="header">
+ <nav class="navbar">
+ <div class="navbar-brand">
+ <a class="navbar-item" href="https://logging.apache.org";>Logging
Services</a>
+ </div>
+ <div id="topbar-nav" class="navbar-menu">
+ <div class="navbar-end">
+ <a class="navbar-item" href="https://apache.org";>a project
of <strong>Apache Software Foundation</strong></a>
+ </div>
+ </div>
+ </nav>
+</header>
+<div class="body">
+<div class="nav-container" data-component="ROOT" data-version="">
+ <aside class="nav">
+ <div class="panels">
+<div class="nav-panel-menu is-active" data-panel="menu">
+ <nav class="nav-menu">
+ <button class="nav-menu-toggle" aria-label="Toggle expand/collapse all"
style="display: none"></button>
+ <h3 class="title"><a href="../index.html">Home</a></h3>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="0">
+<ul class="nav-list">
+ <li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
+ <span class="nav-text">About</span>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../guidelines.html">Guidelines</a>
+ </li>
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../charter.html">Charter</a>
+ </li>
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../team-list.html">Team</a>
+ </li>
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../processes.html">Processes</a>
+ </li>
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link"
href="https://cwiki.apache.org/confluence/display/LOGGING/Home";>Wiki</a>
+ </li>
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../what-is-logging.html">What is logging?</a>
+ </li>
+</ul>
+ </li>
+ <li class="nav-item" data-depth="1">
+ <a class="nav-link" href="../download.html">Download</a>
+ </li>
+ <li class="nav-item" data-depth="1">
+ <a class="nav-link" href="../support.html">Support</a>
+ </li>
+ <li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
+ <a class="nav-link" href="../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item is-current-page" data-depth="2">
+ <a class="nav-link" href="faq.html">FAQ</a>
+ </li>
+</ul>
+ </li>
+ <li class="nav-item" data-depth="1">
+ <a class="nav-link" href="../xml/ns/index.html">XML Schema</a>
+ </li>
+ <li class="nav-item" data-depth="1">
+ <a class="nav-link" href="../blog/index.html">Blog</a>
+ </li>
+ <li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
+ <a class="nav-link" href="https://apache.org";>The ASF</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="https://apache.org/licenses/";>License</a>
+ </li>
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link"
href="https://apache.org/foundation/sponsorship";>Donate</a>
+ </li>
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link"
href="https://apache.org/foundation/sponsors";>Thanks</a>
+ </li>
+</ul>
+ </li>
+</ul>
+ </li>
+</ul>
+ </nav>
+</div>
+ </div>
+ </aside>
+</div>
+<main class="article">
+<div class="toolbar" role="navigation">
+<button class="nav-toggle"></button>
+ <a href="../index.html" class="home-link"></a>
+<nav class="breadcrumbs" aria-label="breadcrumbs">
+ <ul>
+ <li><a href="../index.html">Home</a></li>
+ <li><a href="../security.html">Security</a></li>
+ <li><a href="faq.html">FAQ</a></li>
+ </ul>
+</nav>
+<div class="edit-this-page"><a
href="https://github.com/apache/logging-site/edit/main/src/site/antora/modules/ROOT/pages/security/faq.adoc";>Edit
this Page</a></div>
+</div>
+ <div class="content">
+<aside class="toc sidebar" data-title="Contents" data-levels="2">
+ <div class="toc-menu"></div>
+</aside>
+<article class="doc">
+<h1 class="page">Frequently Reported Vulnerabilities</h1>
+<div id="preamble">
+<div class="sectionbody">
+<div class="paragraph">
+<p>This page documents issues that are <strong>frequently reported</strong> in
Logging Services software but are <strong>not considered
vulnerabilities</strong> according to our <a
href="../security.html#threat-model" class="xref page">threat model</a>.</p>
+</div>
+<div class="paragraph">
+<p>These reports often stem from valid concerns in specific contexts, but
reflect common misunderstandings about how logging systems are designed to
operate and what security guarantees they provide.</p>
+</div>
+<div class="paragraph">
+<p>The goal of this FAQ is to:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Clarify common misconceptions</p>
+</li>
+<li>
+<p>Explain why these reports fall outside our threat model</p>
+</li>
+<li>
+<p>Help you make informed decisions when configuring logging</p>
+</li>
+</ul>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<i class="fa icon-note" title="Note"></i>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>This document is not intended to dismiss security concerns, but to provide
context and guidance.
+Depending on your environment, some of these topics may still warrant
<strong>defensive configuration</strong>.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="crlf-injection"><a class="anchor" href="#crlf-injection"></a><a
href="https://cwe.mitre.org/data/definitions/93.html";>CWE-93: CRLF
Injection</a></h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>Apache Logging Services libraries (Log4cxx, Log4j, and Log4net) allow users
to customize log output through a variety of layouts.
+A frequently reported issue is that CR (<code>\r</code>) and LF
(<code>\n</code>) characters present in a log event can appear in the output,
+making it difficult to reliably delimit individual events when parsing.</p>
+</div>
+<div class="paragraph">
+<p>In most configurations, this behavior is intentional and not considered a
vulnerability within the defined threat model.
+The sections below cover the layouts for which this has most commonly been
reported.</p>
+</div>
+<div class="sect2">
+<h3 id="crlf-injection-pattern-layout"><a class="anchor"
href="#crlf-injection-pattern-layout"></a>Pattern layout</h3>
+<div class="paragraph">
+<p><strong>Claim</strong>: Pattern layout is vulnerable to CRLF injection
because it does not escape CRLF characters.</p>
+</div>
+<div class="paragraph">
+<p>Pattern layout is an <strong>unstructured</strong> text format.
+It defines no fields, no delimiters, and no escaping rules, so it makes no
attempt to neutralize control characters, including CRLF sequences.
+This means:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Log output will contain CRLF characters if they are present in the
input.</p>
+</li>
+<li>
+<p>The layout itself provides <strong>no output sanitization</strong>
guarantees.</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>This behavior is by design and consistent with the layout’s
purpose.</p>
+</div>
+<div class="sect3">
+<h4 id="crlf-injection-pattern-layout-why-not"><a class="anchor"
href="#crlf-injection-pattern-layout-why-not"></a>Why this is not a
vulnerability</h4>
+<div class="paragraph">
+<p>CRLF injection is a concern only when both of the following conditions
apply:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Log output is consumed as <strong>structured data</strong> (for example, by
an ingestion pipeline), <em>and</em></p>
+</li>
+<li>
+<p>Downstream consumers assume that the output has been sanitized.</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Pattern layout guarantees only formatting, not safety or parseability.
+Tools such as <a
href="https://www.elastic.co/docs/reference/enrich-processor/grok-processor";>Grok</a>
can parse Pattern layout output automatically, but only when the output
consistently matches the expected pattern.
+Unescaped CRLF sequences can break that assumption.</p>
+</div>
+<div class="admonitionblock important">
+<table>
+<tr>
+<td class="icon">
+<i class="fa icon-important" title="Important"></i>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>If your logs are consumed in any of these ways:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Parsed automatically by a downstream tool</p>
+</li>
+<li>
+<p>Ingested into a structured storage or SIEM system</p>
+</li>
+<li>
+<p>Used in security-sensitive workflows</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>then <strong>avoid Pattern layout</strong> and use a <strong>structured
layout</strong> instead, such as JSON or RFC 5424.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+<div class="admonitionblock tip">
+<table>
+<tr>
+<td class="icon">
+<i class="fa icon-tip" title="Tip"></i>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>If you must use Pattern layout, <strong>sanitize all inputs
explicitly</strong>, not just the log message.
+Common oversights include:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Sanitizing only <code>%m</code> (e.g. <code>%enc{%m}{CRLF}</code> in Log4j
Core) while leaving other fields unescaped</p>
+</li>
+<li>
+<p>The implicit <code>%ex</code> pattern specifier (exception stack traces),
which are a frequent and overlooked source of CRLF characters</p>
+</li>
+<li>
+<p>Seemingly "safe" values such as logger names, thread names, and log levels,
which may contain unexpected data depending on your application</p>
+</li>
+</ul>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="crlf-injection-rfc5424-layout"><a class="anchor"
href="#crlf-injection-rfc5424-layout"></a>RFC 5424 layout</h3>
+<div class="paragraph">
+<p><strong>Claim</strong>: RFC 5424 layout is vulnerable to CRLF injection
because it does not escape CRLF characters by default.</p>
+</div>
+<div class="paragraph">
+<p>RFC 5424 layout is a <strong>structured format</strong> with well-defined
fields and delimiters, enabling reliable and unambiguous parsing.
+However, per <a
href="https://datatracker.ietf.org/doc/html/rfc5424#section-8.2";>Section 8.2 of
RFC 5424</a>, the spec itself does <strong>not</strong> require escaping of
control characters (including CRLF) in the <code>PARAM-VALUE</code> or
<code>MSG</code> fields.
+Instead, responsibility for handling those characters is delegated to the
<strong>transport binding</strong> in use.</p>
+</div>
+<div class="paragraph">
+<p>For this reason, Log4j Core does not escape CRLF characters by default, and
this is <strong>not</strong> considered a vulnerability.</p>
+</div>
+<div class="sect3">
+<h4 id="crlf-injection-rfc5424-layout-why-not"><a class="anchor"
href="#crlf-injection-rfc5424-layout-why-not"></a>Why this is not a
vulnerability</h4>
+<div class="paragraph">
+<p>The appropriate handling of CRLF characters depends on which transport
protocol carries the log messages.
+RFC 5424 is used with several protocol bindings, each with different framing
semantics:</p>
+</div>
+<div class="dlist">
+<dl>
+<dt class="hdlist1">UDP (<a
href="https://datatracker.ietf.org/doc/html/rfc5426";>RFC 5426</a>)</dt>
+<dd>
+<p>Each message is transmitted as a self-contained datagram, so CRLF
characters carry no special meaning and require no escaping.</p>
+</dd>
+<dt class="hdlist1">TLS-encrypted TCP (<a
href="https://datatracker.ietf.org/doc/html/rfc5425";>RFC 5425</a>)</dt>
+<dd>
+<p>The recommended transport for new deployments.
+Uses length-prefixed framing, so message boundaries are established
independently of content.
+CRLF escaping is not required.</p>
+</dd>
+<dt class="hdlist1">Legacy TCP (<a
href="https://datatracker.ietf.org/doc/html/rfc6587";>RFC 6587</a>)</dt>
+<dd>
+<p>Uses LF as a message delimiter, so LF characters within a message must be
escaped.
+This protocol is <strong>discouraged</strong> for new deployments due to known
limitations.</p>
+</dd>
+</dl>
+</div>
+<div class="paragraph">
+<p>Applying CRLF escaping unconditionally at the layout level would silently
alter log content for transport bindings that do not need it.
+Defaulting to no escaping preserves the original log data while allowing each
transport binding to apply the appropriate treatment.</p>
+</div>
+<div class="admonitionblock tip">
+<table>
+<tr>
+<td class="icon">
+<i class="fa icon-tip" title="Tip"></i>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>RFC 5424 layout does support optional CRLF escaping, which you can enable
explicitly when using a transport that requires it (such as legacy TCP over RFC
6587).
+Refer to the layout configuration reference for details.</p>
+</div>
+<div class="paragraph">
+<p>If you are starting a new deployment, prefer TLS-encrypted TCP (RFC 5425),
which avoids this concern entirely through length-prefixed framing.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+</div>
+</div>
+<div class="sect1">
+<h2 id="path-traversal"><a class="anchor" href="#path-traversal"></a><a
href="https://cwe.mitre.org/data/definitions/35.html";>CWE-35: Path
Traversal</a></h2>
+<div class="sectionbody">
+<div class="paragraph">
+<p>A frequently reported issue is the presence of unvalidated file paths in
configuration files, such as file appender file names.</p>
+</div>
+<div class="paragraph">
+<p><strong>Claim</strong>: File appenders are vulnerable to path traversal
because they accept unvalidated file paths.</p>
+</div>
+<div class="sect2">
+<h3 id="path-traversal-why-not"><a class="anchor"
href="#path-traversal-why-not"></a>Why this is not a vulnerability</h3>
+<div class="paragraph">
+<p>Configuration files are <strong>trusted</strong> resources according to our
<a href="../security.html#threat-model" class="xref page">threat model</a> and
must be protected accordingly.
+Given that trust, constraining the file paths they may contain provides no
meaningful security benefit.</p>
+</div>
+<div class="paragraph">
+<p>Limiting file paths to a specific directory would also introduce a
<strong>chicken-and-egg problem</strong>: doing so would require an additional
configuration resource to define the allowed directory, which itself would need
to be trusted and protected.
+We do not establish a hierarchy of trust between configuration resources
(environment variables, system properties, configuration files, and so on):
they are all considered equally trusted.</p>
+</div>
+</div>
+<div class="sect2">
+<h3 id="path-traversal-problematic-contexts"><a class="anchor"
href="#path-traversal-problematic-contexts"></a>Problematic contexts</h3>
+<div class="paragraph">
+<p>While unvalidated file paths in configuration are not a vulnerability in
themselves, they can become one when <strong>interpolation</strong> features
(arbiters, lookups, etc.) are used to construct file paths dynamically.</p>
+</div>
+<div class="paragraph">
+<p>This risk is compounded when interpolation occurs at
<strong>runtime</strong> rather than at configuration time: for example, when
appenders are created dynamically by Log4j Core’s
+<a
href="https://logging.apache.org/log4j/2.x/manual/appenders/delegating.html#RoutingAppender";>Routing
appender</a>.
+In those cases, the interpolated values originate outside the configuration
file itself and may originate from untrusted or attacker-controlled sources.</p>
+</div>
+<div class="paragraph">
+<p>It is the user’s responsibility to ensure that the sources of any
interpolated values used in file paths are trustworthy.</p>
+</div>
+<div class="admonitionblock important">
+<table>
+<tr>
+<td class="icon">
+<i class="fa icon-important" title="Important"></i>
+</td>
+<td class="content">
+<div class="paragraph">
+<p>The trustworthiness of an interpolation source cannot be determined a
priori by the Logging Services libraries, because it depends on the specific
application and how it uses that source.</p>
+</div>
+<div class="paragraph">
+<p>Consider <code>${ctx:…​}</code> lookups as an example: some
applications populate the thread context map exclusively with internally
generated values (such as request IDs), while others may include user-provided
data (such as HTTP headers).
+In practice, trustworthiness often varies even at the per-key level: some
context map keys may be safe to use in file paths, while others may not.</p>
+</div>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+</div>
+</article>
+ </div>
+</main>
+</div>
+<footer class="footer">
+ <p>
+ Copyright © 1999-2026 <a href="https://www.apache.org/";>The Apache
Software Foundation</a>.
+ Licensed under the <a
href="https://www.apache.org/licenses/LICENSE-2.0";>Apache Software License,
Version 2.0</a>.
+ Please read our <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>privacy
policy</a>.
+ </p>
+ <p>
+ Apache, Log4j, and the Apache feather logo are trademarks or registered
trademarks of The Apache Software Foundation.
+ Oracle and Java are registered trademarks of Oracle and/or its affiliates.
+ Other names may be trademarks of their respective owners.
+ </p>
+</footer>
+<script id="site-script" src="../_/js/site.js"
data-ui-root-path="../_"></script>
+<script async src="../_/js/vendor/highlight.js"></script>
+<!-- `@asciidoctor/tabs` extension scripts -->
+<script async src="../_/js/vendor/tabs.js"></script>
+ </body>
+</html>
diff --git a/sitemap.xml b/sitemap.xml
index a9a46ed2..4e3fbbf4 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -2,82 +2,86 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9";>
<url>
<loc>https://logging.apache.org/blog/20231117-flume-joins-logging-services.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231128-new-pmc-member.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231202-apache-common-logging-1.3.0.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231214-announcing-support-from-the-stf.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20231218-20-years-of-innovation.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20240725-Log4j-At-Community-Over-Code-2024.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20240808-welcome-to-the-pmc-jan.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20240812-log4j-bug-bounty.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/20250728-introduction-to-vex-files.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/blog/index.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/charter.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/download.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/guidelines.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/index.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/processes.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/security.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
+</url>
+<url>
+<loc>https://logging.apache.org/security/faq.html</loc>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/support.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/team-list.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/what-is-logging.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
<url>
<loc>https://logging.apache.org/xml/ns/index.html</loc>
-<lastmod>2026-01-22T09:57:38.511Z</lastmod>
+<lastmod>2026-03-25T19:40:15.454Z</lastmod>
</url>
</urlset>
diff --git a/support.html b/support.html
index 0ec31924..910a7b5a 100644
--- a/support.html
+++ b/support.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="xml/ns/index.html">XML Schema</a>
diff --git a/team-list.html b/team-list.html
index 04aa52ad..311f03ef 100644
--- a/team-list.html
+++ b/team-list.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="xml/ns/index.html">XML Schema</a>
diff --git a/what-is-logging.html b/what-is-logging.html
index 80a4c51e..3906d1bf 100644
--- a/what-is-logging.html
+++ b/what-is-logging.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="xml/ns/index.html">XML Schema</a>
diff --git a/xml/ns/index.html b/xml/ns/index.html
index 9bbd8762..44f65d59 100644
--- a/xml/ns/index.html
+++ b/xml/ns/index.html
@@ -97,7 +97,13 @@
<a class="nav-link" href="../../support.html">Support</a>
</li>
<li class="nav-item" data-depth="1">
+ <button class="nav-item-toggle"></button>
<a class="nav-link" href="../../security.html">Security</a>
+<ul class="nav-list">
+ <li class="nav-item" data-depth="2">
+ <a class="nav-link" href="../../security/faq.html">FAQ</a>
+ </li>
+</ul>
</li>
<li class="nav-item is-current-page" data-depth="1">
<a class="nav-link" href="index.html">XML Schema</a>
