This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-3.0 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 87783896c878ef6b11cc58277b202116502e3941 Author: Matteo Merli <[email protected]> AuthorDate: Wed Apr 15 09:18:24 2026 -0700 [fix][sec] Upgrade log4j to 2.25.4 to address CVE-2026-34477, CVE-2026-34478, CVE-2026-34480, CVE-2026-34481 (#25521) Upgrades org.apache.logging.log4j:* from 2.25.3 to 2.25.4 to fix: - CVE-2026-34477: verifyHostName attribute silently ignored in TLS configuration - CVE-2026-34478: log injection in Rfc5424Layout due to silent configuration incompatibility - CVE-2026-34480: XmlLayout fails to sanitize characters forbidden by XML 1.0 - CVE-2026-34481: JsonTemplateLayout produces invalid JSON for non-finite floats (cherry picked from commit dfb06f183c312b849fce42d729c6b36181239490) --- buildtools/pom.xml | 2 +- distribution/server/src/assemble/LICENSE.bin.txt | 8 ++++---- distribution/shell/src/assemble/LICENSE.bin.txt | 8 ++++---- pom.xml | 2 +- pulsar-sql/presto-distribution/LICENSE | 6 +++--- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/buildtools/pom.xml b/buildtools/pom.xml index 29719a3262f..801cc60ce32 100644 --- a/buildtools/pom.xml +++ b/buildtools/pom.xml @@ -48,7 +48,7 @@ <maven.compiler.target>1.8</maven.compiler.target> <maven.compiler.release>8</maven.compiler.release> <surefire.version>3.1.0</surefire.version> - <log4j2.version>2.25.3</log4j2.version> + <log4j2.version>2.25.4</log4j2.version> <slf4j.version>1.7.32</slf4j.version> <testng.version>7.7.1</testng.version> <commons-lang3.version>3.18.0</commons-lang3.version> diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index 1d86377828f..9b19de453ac 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -337,10 +337,10 @@ The Apache Software License, Version 2.0 - jakarta.validation-jakarta.validation-api-2.0.2.jar - javax.validation-validation-api-1.1.0.Final.jar * Log4J - - org.apache.logging.log4j-log4j-api-2.25.3.jar - - org.apache.logging.log4j-log4j-core-2.25.3.jar - - org.apache.logging.log4j-log4j-slf4j-impl-2.25.3.jar - - org.apache.logging.log4j-log4j-web-2.25.3.jar + - org.apache.logging.log4j-log4j-api-2.25.4.jar + - org.apache.logging.log4j-log4j-core-2.25.4.jar + - org.apache.logging.log4j-log4j-slf4j-impl-2.25.4.jar + - org.apache.logging.log4j-log4j-web-2.25.4.jar * Java Native Access JNA - net.java.dev.jna-jna-jpms-5.12.1.jar - net.java.dev.jna-jna-platform-jpms-5.12.1.jar diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt b/distribution/shell/src/assemble/LICENSE.bin.txt index c5ae5aca399..0c326037289 100644 --- a/distribution/shell/src/assemble/LICENSE.bin.txt +++ b/distribution/shell/src/assemble/LICENSE.bin.txt @@ -384,10 +384,10 @@ The Apache Software License, Version 2.0 - simpleclient_tracer_otel-0.16.0.jar - simpleclient_tracer_otel_agent-0.16.0.jar * Log4J - - log4j-api-2.25.3.jar - - log4j-core-2.25.3.jar - - log4j-slf4j-impl-2.25.3.jar - - log4j-web-2.25.3.jar + - log4j-api-2.25.4.jar + - log4j-core-2.25.4.jar + - log4j-slf4j-impl-2.25.4.jar + - log4j-web-2.25.4.jar * BookKeeper - bookkeeper-common-allocator-4.16.7.jar diff --git a/pom.xml b/pom.xml index 539dd46acf4..4cce4228d55 100644 --- a/pom.xml +++ b/pom.xml @@ -152,7 +152,7 @@ flexible messaging model and an intuitive client API.</description> <rocksdb.version>7.9.2</rocksdb.version> <slf4j.version>1.7.32</slf4j.version> <commons.collections4.version>4.4</commons.collections4.version> - <log4j2.version>2.25.3</log4j2.version> + <log4j2.version>2.25.4</log4j2.version> <!-- bouncycastle dependencies aren't necessarily aligned --> <bouncycastle.bcprov-jdk18on.version>1.78.1</bouncycastle.bcprov-jdk18on.version> <bouncycastle.bcpkix-jdk18on.version>1.81</bouncycastle.bcpkix-jdk18on.version> diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE index 7be45480854..c063fb4fabb 100644 --- a/pulsar-sql/presto-distribution/LICENSE +++ b/pulsar-sql/presto-distribution/LICENSE @@ -347,9 +347,9 @@ The Apache Software License, Version 2.0 - leveldb-0.12.jar - leveldb-api-0.12.jar * Log4j - - log4j-api-2.25.3.jar - - log4j-core-2.25.3.jar - - log4j-slf4j-impl-2.25.3.jar + - log4j-api-2.25.4.jar + - log4j-core-2.25.4.jar + - log4j-slf4j-impl-2.25.4.jar * Log4j implemented over SLF4J - log4j-over-slf4j-1.7.32.jar * Lucene Common Analyzers
