reload4j news
Please note that you can receive reload4j related announcements by subscribing to the QOS.ch announce mailing list.
Reload4j artifacts are binary reproducible, as independently attested by reproducible-central.
2023-03-22 - Release of reload4j 1.2.25
• The loadClass and getResource
methods in the Loader class are used to search for
resources and to load classes, typically appenders or
layouts. Given that some users encountered problems with the
changes made in version 1.2.24, the thread context class loader
(TCCL) is now tried first under all JDK versions unless the
"log4j.ignoreTCL" system property is set to true. This was
intended behavior all along except that is was disabled in JDK 9
and later due to a coding error. This fixes issue 62
as reported by David Moten.
• CVE-2023-26464 was analysed and was deemed not a serious or practical menace as its attack surface is very small.
The binary of this version can reproduced by checking out the tag v_1.2.25 from the source code repository (github). This release was built using Java "8" build 1.8.0_311-b11 under Debian 9.5.
2022-11-28 - Release of reload4j 1.2.24
• The loadClass and getResource
methods in the Loader class are used to search for
resources and to load classes, typically appenders or layouts. In
this release, only the class loader that loaded the
Loader class itself is used. The thread context class
loader (TCCL) is no longer used. In previous releases, this was
already the case when running under JDK 9 and later but not under
JDK 8 or earlier. The change provides both more consistent and
also simpler behavior. It should be be transparent to users.
The binary of this version can reproduced by checking out the tag v_1.2.24 from the source code repository (github). This release was built using Java "8" build 1.8.0_311-b11 under Debian 9.5.
2022-11-21 - Release of reload4j 1.2.23
• Added Automatic-Module-Name entry set to
ch.qos.reload4j in the MANIFEST.MF
file. This should help in including reload4j as a named dependency
in Jigsaw modular projects. This enhancement was suggested by Rob
Spoor who also provided the relevant PR.
The binary of this version can reproduced by checking out the tag v_1.2.23 from the source code repository (github). This release was built using Java "8" build 1.8.0_311-b11 under Debian 9.5.
2022-07-21 - Release of reload4j 1.2.22
• Fixed a newly discovered XXE vector vulnerability reported against Chainsaw. This issue was reported by PJ Fanning.
• Added GitHub token permissions for GitHub Actions workflow. A similar issue was reported to the SLF4J project by Varun Sharma.
The binary of this version can reproduced by checking out the tag v_1.2.22 from the source code repository (github). This release was built using Java "8" build 1.8.0_311-b11 under Debian 9.5.
2022-05-17 - Release of reload4j 1.2.21
This release was championed by Cloudera.
• The binary compatibility issue between earlier versions of reload4j and slf4j-log4j12 has been fixed. Although it is recommended that you use slf4j-reload4j as the preferred adapter for the slf4j/reload4j combination, with reload4j version 1.2.21 and later you can freely mix any version of slf4j-log4j12, if you have to.
The binary of this version can reproduced by checking out the tag v_1.2.21 from the source code repository (github). This release was built using Java "8" build 1.8.0_311-b11 under Debian 9.5.
| File | Checksum | Signature |
|---|---|---|
| reload4j-1.2.21.jar | reload4j-1.2.21.jar.sha1 | reload4j-1.2.21.jar.asc |
2022-04-05 - Release of reload4j 1.2.20
• For enabled logging statements, the performance of iterating on appenders attached to a logger has been significantly improved.
The binary of this version can reproduced by checking out the tag v_1.2.20 from the source code repository (github). Release built using Java "8" build 1.8.0_311-b11 under Windows 11.
2022-02-08 - Release of reload4j 1.2.19
Starting with 1.2.18.5, reload4j releases are reproducible. By reproducible we mean that anyone checking out the code corresponding to the release version from source code repository and building that local copy, will obtain an identical binary to the published binary.
• Given that the 4th position in the release number may be interpreted as an unnumbered qualifier, from now on, reload4j releases will have 3 positions and if needed a real qualifier at the 4th position.
• The Bundle-SymbolicName entry in MANIFEST.MF is
now set to org.apache.log4j. In addition, the
superflous Bundle-RequiredExecutionEnvironment entry
was removed. See
OSGi spec 3.4.1. This fixes the last reported kinks in the
OSGi bundle manifest file.
• Added missing default java Manifest entries such as "Implementation-Title", "Implementation-Vendor" and "Implementation-Version" are included in MANIFEST.MF. This solves issue 37.
• Fixed test cases so that no folders other than those under the
target folder are modified. This fixes issue 15.
2022-02-03 - Release of reload4j 1.2.18.5
• Starting with reload4j 1.2.18.5, reload4j releases will be reproducible. By reproducible we mean that anyone checking out the code corresponding to the release version from github and building that local copy, will obtain an identical binary to the binary found on Maven central.
Fix error message in case of missing setFeature
function in older DocumentBuilderFactory
implementations. This fixes issue 34.
2022-01-26 - Release of reload4j 1.2.18.4
• Fixed OSGi manifest issues. Many thanks to Grzegorz Grzybek for providing the relevant patch.
• Removed org.apache.log4j.jmx package as it
was marked as deprecated and its use discouraged.
2022-01-24 - Release of reload4j 1.2.18.3
• XML entity injection attack was fixed by hardening
• CVE-2020-9488
(SMTPAppender) fixed by adding checkServerIdentity
option. This option, enabled by default, will check that the
certificate presented by the server matches SMTPHost. While
this option is 'true' by default, it is only active if the SMTPProtocol
is "smtps."
• Removed ORO package dependency in tests.
• Added missing OSGi bundle information.
2022-01-21 - Release of reload4j 1.2.18.2
• CVE-2022-23305 (JDBCAppender) - fixed by using JDBC PreparedStatement which are invulnerable to SQL injection.
Thanks to the remarkable work of Vladimir Sitnikov JDBCAppender
now interprets the SQL expression on the fly so as to insert new
events using PreparedStartement instances. Note that
the table column types are restricted to those types compatible
with Java's String.
• The LF5 package was removed with no replacement.
2022-01-19 - Release of reload4j 1.2.18.1
• CVE-2022-23302 (JMSSink) - fixed by hardening the component.
• CVE-2020-9493 and CVE-2022-23307 (Chainsaw) - fixed by hardening the component.
• CVE-2022-23305 (JDBCAppender) - fixed in 1.2.18.1 by removal
In the absence of a robust and well tested countermeasure,
JDBCAppender has been removed to prevent SQL injection
attacks. We have a proposed countermeasure which will may yet
salvage JDBCAppender. See PR 26.
2022-01-12 - Release of reload4j 1.2.18.0
First release of reload4j fixing the following issues:
• Standardize and sanitize the build.
• CVE-2021-4104 (JMSAppender) fixed by hardening the components
• CVE-2019-17571 (SocketServer) - fixed by hardening the component.
• Under Java 9 and later, the MDC implementation in log4j incorrectly assumed that the runtime environment was Java 1.1. This caused MDC functinality to be disabled entirely. This issue was fixed by removing the silly "are we running under Java 1.1 or earlier?" test.
2022-01-06 - start of work on reload4j project
Launch of the reload4j project. Work has begun on the web-site, and source repositories.