merlimat opened a new pull request, #25531: URL: https://github.com/apache/pulsar/pull/25531
### Motivation Cherry-pick of apache/pulsar#25521 to `branch-4.0`. log4j 2.25.3 is affected by four CVEs fixed in 2.25.4: - **CVE-2026-34477** — `verifyHostName` attribute in `<Ssl>` configuration was silently ignored in all versions since 2.12.0. TLS connections from SMTP, Socket, and Syslog appenders configured via the nested `<Ssl>` element were not verifying hostnames, enabling MITM attacks. - **CVE-2026-34478** — `Rfc5424Layout` silently renamed `newLineEscape` and `useTlsMessageFormat` attributes in 2.21.0, causing CRLF injection for TCP framing users and a silent TLS-to-plain-TCP downgrade for RFC 5425 users. - **CVE-2026-34480** — `XmlLayout` did not sanitize characters forbidden by XML 1.0, producing invalid XML when log messages or MDC values contained them. - **CVE-2026-34481** — `JsonTemplateLayout` produced invalid JSON (NaN / Infinity / -Infinity) for `MapMessage` entries containing non-finite floats, which downstream log processors reject per RFC 8259. None of these affect Pulsar users with the default log4j2.yaml configuration, but shipping library versions with known vulnerabilities trips code scanning and downstream security audits. ### Modifications `branch-4.0` still uses Maven, so the master commit's `gradle/libs.versions.toml` change does not apply directly. Ported equivalently: - Bump `log4j2.version` from 2.25.3 to 2.25.4 in `pom.xml` and `buildtools/pom.xml`. - Update server and shell distribution `LICENSE.bin.txt` to reflect the new jar versions. ### Master PR - apache/pulsar#25521 — `[fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
