[reload4j] Release of reload4j version 1.2.18.2
Ceki Gülcü
ceki at qos.ch
Fri Jan 21 18:14:18 CET 2022
Hello all,
I am very happy to announce the immediate availability of reload4j
version 1.2.18.2. It is intended as a drop-in replacement for log4j
version 1.2.17. By drop in, we mean the replacement of log4j.jar with
reload4j.jar in your build with no source code changes in .java files
being necessary.
Reload4j has the following Maven coordinates:
<dependency>
<groupId>ch.qos.reload4j</groupId>
<artifactId>reload4j</artifactId>
<version>1.2.18.2</version>
</dependency>
Reload4j was built using Java 8 but targets Java 1.5.
Version 1.2.8.2 corrects the following issues:
The unit tests were updated but no actual code was changed except for
the removal of NTEventAppender and the correction of the following issues:
- Standardize and sanitize the build
- CVE-2021-4104 (JMSAppender) - fixed in 1.2.18.0 by hardening
- CVE-2022-23302 (JMSSink) - fixed in 1.2.18.1 by hardening
- CVE-2019-17571 (SocketServer) - fixed in 1.2.18.0 by hardening
- CVE-2020-9493 CVE-2022-23307 (Chainsaw) - fixed in 1.2.18.1 by
hardening
- CVE-2022-23305 (JDBCAppender) - fixed in 1.2.18.1 by hardening
- broken MDC in newer JDKs - fixed in 1.2.18.0
Thanks to the remarkable work of Vladimir Sitnikov, JDBCAppender now
interprets the SQL expression on the fly so as to insert new events
using PreparedStartement instances. Note that the table column types are
restricted to those types compatible with Java's String.
Project web-site: https://reload4j.qos.ch/
Source repository: https://github.com/qos-ch/reload4j
With release 1.2.18.2 we have addressed the most pressing
issues regarding log4j 1.x vulnerabilities.
As both log4j 1.x and reload4j do *not* offer a message lookup
mechanism, they did not suffer from the notorious log4shell vulnerability.
Donations and sponsorship
You can also support SLF4J/logback/reload4j projects via donations and
sponsorship. We thank our current supporters and sponsors for their
continued contributions.
Sponsorship link: https://github.com/sponsors/qos-ch?o=esb
Announcement mailing list:
You can receive SLF4J/logback/reload4j related announcements by
subscribing QOS.ch announce list, please visit the following URL.
http://www.qos.ch/mailman/listinfo/announce
Enjoy,
--
Ceki Gülcü
More information about the reload4j
mailing list