This ticket complains because ConfigurationFactory looks to see if a system
property named log4j.configuration is set.
If it is then it tries to initialize the configuration it points to as a Log4j
1.x configuration using the PropertiesConfiguration I implemented.
Unfortunately, this is the sam
The Apache Log4j 2 team is pleased to announce the Log4j 2.12.3 release!
Apache log4j is a well known framework for logging application behavior. Log4j
2 is an upgrade to
Log4j that provides significant improvements over its predecessor, Log4j 1.x,
and provides
many other modern features such as
The Apache Log4j 2 team is pleased to announce the Log4j 2.3.1 release!
Apache log4j is a well known framework for logging application behavior. Log4j
2 is an upgrade to
Log4j that provides significant improvements over its predecessor, Log4j 1.x,
and provides
many other modern features such as
This vote has passed with +1 votes from Ron Grabowski, Gary Gregory, Matt
Sicker, Carter Kozak, Ralph Goers, and Remko Popma. There were no other votes.
Tim Perry validated the build on Windows 10 and Java 6.
I will continue with the release process.
Ralph
I was able to build on Windows 10, with Zulu Java 6.
On Tue, Dec 21, 2021 at 1:29 PM Remko Popma wrote:
> +1 I am changing my vote.
> My earlier pipecleaning program failed because the config had a JmsAppender
> configured in it... My bad.
> Signatures are good.
> Pipecleaning program works on J
This vote has passed with +1 votes from Matt Sicker, Carter Kozak, Remko Popma,
Gary Gregory, and Ralph Goers. There were no other votes.
I will continue with the release process.
Ralph
+1 I am changing my vote.
My earlier pipecleaning program failed because the config had a JmsAppender
configured in it... My bad.
Signatures are good.
Pipecleaning program works on Java 6 when I remove the JmsAppender from the
config.
On Wed, Dec 22, 2021 at 6:23 AM Ralph Goers
wrote:
> My +1
>
My +1
Ralph
> On Dec 20, 2021, at 5:52 PM, Ralph Goers wrote:
>
> This is a vote to release Log4j 2.12.3, a security release for Java 7 users.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artifacts
> [] -1, don't release because...
>
> The
My +1
I tested it in an Ubuntu VM and verified it with Java 6.
Ralph
> On Dec 20, 2021, at 10:18 PM, Ralph Goers wrote:
>
> This is a vote to release Log4j 2.3.1, a security release for Java 6 users.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release
Is it possible that RAT is only configured for reporting and not invocation
from a build? The log4j RAT passes.
Gary
On Tue, Dec 21, 2021, 16:12 Matt Sicker wrote:
> The jquery.js file has a license header; I have no idea why rat complains
> about it. And these two files are copied verbatim f
The jquery.js file has a license header; I have no idea why rat complains about
it. And these two files are copied verbatim from log4j2, so I don’t see the
issue here. I looked at the rat report on the site and it looked fine, too.
--
Matt Sicker
> On Dec 21, 2021, at 14:55, Gary Gregory wrote:
+1
rat and build succeed, however I don't have a jre6 around to test with.
Apache Maven 3.6.3
Maven home: /usr/share/maven
Java version: 1.8.0_282, vendor: Azul Systems, Inc., runtime:
/home/ckozak/.tools/jdk/zulu8.52.0.23-ca-jdk8.0.282-linux_x64/jre
Default locale: en_US, platform encoding: UTF
+1
Signatures good, build good, artifacts good.
--
Matt Sicker
> On Dec 20, 2021, at 23:18, Ralph Goers wrote:
>
> This is a vote to release Log4j 2.3.1, a security release for Java 6 users.
>
> Please download, test, and cast your votes on the log4j developers list.
> [] +1, release the artif
+1
I did the same steps as Rob but I only used Java 8:
- mvn apache-rat:check -DskipTests
- mvn clean install
- mvn site -DskipTests
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-bre_2021_10_20_23_15-b00)
OpenJDK 64-Bit Server VM (build 25.312-b00, mixed mode)
Apache M
The RAT check (mvn apache-rat:check) fails on:
src/site/resources/js/jquery.min.js
src/site/resources/js/jquery.js
If it is indeed ok to ship these files, then the RAT check should exclude
these files and the NOTICE file be updated with an appropriate entry. I
know this is not the runtime, it
+1
I wrote a simple HelloWorld app with 2.3.1 running on jdk1.6.0_45 to
further verfiy LOG4J2-3198. These commands ran successfully too:
mvn clean install
mvn site -DskipTests
mvn apache-rat:check -DskipTests
Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
Maven home: C:\project
I will report on the build I started before I left the house, but I won't
be back for an hour or two.
Gary
On Tue, Dec 21, 2021, 13:29 Ralph Goers wrote:
> I have installed Java 6 in an Ubuntu VM and created a simple all that just
> logs Hello, world!. I had no problem running it in Java 6 wit
Note that this “requires access to the logging configuration” is simply wrong.
I wish I had
known 10 years ago what I now know about JNDI, and Java’s LDAP support via
JNDI.
Unfortunately, I only learned about it in the last 3 weeks.
The LDAP schema for Java is where the real problem lies. It d
I have installed Java 6 in an Ubuntu VM and created a simple all that just logs
Hello, world!. I had no problem running it in Java 6 with the 2.3.1 api and
core jars.
Remko, if you want to do a screen share I’d be happy to demo it.
Ralph
> On Dec 21, 2021, at 7:15 AM, Ralph Goers wrote:
>
>
On Tue, 21 Dec 2021 at 18:48, Gary Gregory wrote:
> …
> I wonder what logback actually means by "Temporarily removed DB support for
> security reasons.", did they remove public or protected code? Well we have
> enough to deal with here without worrying about that.
Yeah they deleted DBAppender.
WRT naming, let's stay with considering a 1.2.18, that's the type of naming
we used in 2.x with 2.12.x and 2.3.x, no need to make things more
complicated IMO.
I wonder what logback actually means by "Temporarily removed DB support for
security reasons.", did they remove public or protected code? W
(On mobile, excuse typos/top post)
+1. My interest is in staying here, work together, make a security release
as one community (and I probably will be gone when security is no longer a
topic), that is as good as possible, out soon(tm). I won’t object to but
also won’t join something “new” (feel fr
To be clear, we have declared Java 6 & 7 EOL for Log4j 2. Yet we are here
building
patch releases for them. We are only including the security patches. I see
Log4j 1.x
as exactly the same as those.
Ralph
> On Dec 21, 2021, at 6:45 AM, Gary Gregory wrote:
>
> I agree with Remko on all his po
You should try 2.3. I bet you get the same result. I bet we enhanced the plugin
system to ignore plugins that get NoClassDefFoundError.
Ralph
> On Dec 21, 2021, at 6:41 AM, Remko Popma wrote:
>
> Gary,
>
> No it’s literally that pipe cleaning class, the api and core jar, and a
> Log4j2.xml w
I agree with Remko on all his points.
As I've stated before, IF there is a 1.2.18, it should ONLY be for CVEs,
and where applicable, fixed in the same style as we have for 2.x. This is,
IMO, what would be best for users *short* of migrating for 2.x.
A problem from my perspective will be users thi
Gary,
No it’s literally that pipe cleaning class, the api and core jar, and a
Log4j2.xml with just the console Appender.
That should work though without any extra dependencies.
Interestingly the same setup does work without errors with 2.12.3 on Java 7.
What’s the difference between 2.3.1 a
Remko:
JMS is not built-in the JRE, do you have JMS in your configuration for
this test? If you do, then you'd need the JMS API and a provider as
dependencies.
Gary
On Tue, Dec 21, 2021 at 7:37 AM Ralph Goers wrote:
>
> Hmmm. This is not what I was expecting. If it didn’t work I would have
> e
Vladimir,
Have you had a chance to work on a patch for the security vulnerabilities?
While there is understandably not much interest in “resurrecting” the Log4j 1.x
project, overall people are positive about releasing a 1.2.18 with security
patches.
I think it would be most helpful if we can
Hmmm. This is not what I was expecting. If it didn’t work I would have expected
bad class version exceptions.
Ralph
> On Dec 21, 2021, at 4:28 AM, Remko Popma wrote:
>
> -1 it does not work...
>
> Problem running a simple pipecleaning test on Java 6 with 2.3.1...
> My pipecleaning program is
+1 then
Gary
On Mon, Dec 20, 2021 at 10:50 PM Ralph Goers wrote:
>
> There was a bug in the site build. I checked the fix in to the branch. It
> doesn’t matter for the release.
>
> Ralph
>
> > On Dec 20, 2021, at 6:46 PM, Gary Gregory wrote:
> >
> > Building from the git tag for HEAD detached
Ron,
I know these are not easy times for you,
however, it looks like we are going in circles.
There's visible demand for releasing fixes for 1.x:
https://lists.apache.org/thread/llgp7b9v1t081o3215o7xq4zpct1x0b4
So the question is
"Could you sponsor the project or do you want Incubator to do that
-1 it does not work...
Problem running a simple pipecleaning test on Java 6 with 2.3.1...
My pipecleaning program is something simple like this
public class Pipecleaning {
public static void main(String[] args) {
org.apache.logging.log4j.LogManager.getLogger().info("HELLO
USER ${sys:u
32 matches
Mail list logo
