Please note that you can receive reload4j related announcements by subscribing to the QOS.ch announce mailing list.
Reload4j artifacts are binary reproducible, as independently attested by reproducible-central.
2022-11-28 - Release of reload4j 1.2.24
methods in the
Loader class are used to search for
resources and to load classes, typically appenders or layouts. In
this release, only the class loader that loaded the
Loader class itself is used. The thread context class
loader (TCCL) is no longer used. In previous releases, this was
already the case when running under JDK 9 and later but not under
JDK 8 or earlier. The change provides both more consistent and
also simpler behavior. It should be be transparent to users.
The binary of this version can reproduced by checking out the tag v_1.2.24 from the source code repository (github). This release was built using Java "8" build 1.8.0_311-b11 under Debian 9.5.
2022-11-21 - Release of reload4j 1.2.23
Automatic-Module-Name entry set to
ch.qos.reload4j in the MANIFEST.MF
file. This should help in including reload4j as a named dependency
in Jigsaw modular projects. This enhancement was suggested by Rob
Spoor who also provided the relevant PR.
The binary of this version can reproduced by checking out the tag v_1.2.23 from the source code repository (github). This release was built using Java "8" build 1.8.0_311-b11 under Debian 9.5.
2022-07-21 - Release of reload4j 1.2.22
• Fixed a newly discovered XXE vector vulnerability reported against Chainsaw. This issue was reported by PJ Fanning.
• Added GitHub token permissions for GitHub Actions workflow. A similar issue was reported to the SLF4J project by Varun Sharma.
The binary of this version can reproduced by checking out the tag v_1.2.22 from the source code repository (github). This release was built using Java "8" build 1.8.0_311-b11 under Debian 9.5.
2022-05-17 - Release of reload4j 1.2.21
This release was championed by Cloudera.
• The binary compatibility issue between earlier versions of reload4j and slf4j-log4j12 has been fixed. Although it is recommended that you use slf4j-reload4j as the preferred adapter for the slf4j/reload4j combination, with reload4j version 1.2.21 and later you can freely mix any version of slf4j-log4j12, if you have to.
The binary of this version can reproduced by checking out the tag v_1.2.21 from the source code repository (github). This release was built using Java "8" build 1.8.0_311-b11 under Debian 9.5.
2022-04-05 - Release of reload4j 1.2.20
• For enabled logging statements, the performance of iterating on appenders attached to a logger has been significantly improved.
The binary of this version can reproduced by checking out the tag v_1.2.20 from the source code repository (github). Release built using Java "8" build 1.8.0_311-b11 under Windows 11.
2022-02-08 - Release of reload4j 1.2.19
Starting with 188.8.131.52, reload4j releases are reproducible. By reproducible we mean that anyone checking out the code corresponding to the release version from source code repository and building that local copy, will obtain an identical binary to the published binary.
• Given that the 4th position in the release number may be interpreted as an unnumbered qualifier, from now on, reload4j releases will have 3 positions and if needed a real qualifier at the 4th position.
Bundle-SymbolicName entry in MANIFEST.MF is
now set to
org.apache.log4j. In addition, the
was removed. See
OSGi spec 3.4.1. This fixes the last reported kinks in the
OSGi bundle manifest file.
• Added missing default java Manifest entries such as "Implementation-Title", "Implementation-Vendor" and "Implementation-Version" are included in MANIFEST.MF. This solves issue 37.
• Fixed test cases so that no folders other than those under the
target folder are modified. This fixes issue 15.
2022-02-03 - Release of reload4j 184.108.40.206
• Starting with reload4j 220.127.116.11, reload4j releases will be reproducible. By reproducible we mean that anyone checking out the code corresponding to the release version from github and building that local copy, will obtain an identical binary to the binary found on Maven central.
Fix error message in case of missing
function in older
implementations. This fixes issue 34.
2022-01-26 - Release of reload4j 18.104.22.168
• Fixed OSGi manifest issues. Many thanks to Grzegorz Grzybek for providing the relevant patch.
org.apache.log4j.jmx package as it
was marked as deprecated and its use discouraged.
2022-01-24 - Release of reload4j 22.214.171.124
• XML entity injection attack was fixed by hardening
(SMTPAppender) fixed by adding
option. This option, enabled by default, will check that the
certificate presented by the server matches
this option is 'true' by default, it is only active if the
• Removed ORO package dependency in tests.
• Added missing OSGi bundle information.
2022-01-21 - Release of reload4j 126.96.36.199
Thanks to the remarkable work of Vladimir Sitnikov
now interprets the SQL expression on the fly so as to insert new
PreparedStartement instances. Note that
the table column types are restricted to those types compatible
• The LF5 package was removed with no replacement.
2022-01-19 - Release of reload4j 188.8.131.52
• CVE-2022-23302 (JMSSink) - fixed by hardening the component.
• CVE-2022-23305 (JDBCAppender) - fixed in 184.108.40.206 by removal
In the absence of a robust and well tested countermeasure,
JDBCAppender has been removed to prevent SQL injection
attacks. We have a proposed countermeasure which will may yet
JDBCAppender. See PR 26.
2022-01-12 - Release of reload4j 220.127.116.11
First release of reload4j fixing the following issues:
• Standardize and sanitize the build.
• CVE-2021-4104 (JMSAppender) fixed by hardening the components
• CVE-2019-17571 (SocketServer) - fixed by hardening the component.
• Under Java 9 and later, the MDC implementation in log4j incorrectly assumed that the runtime environment was Java 1.1. This caused MDC functinality to be disabled entirely. This issue was fixed by removing the silly "are we running under Java 1.1 or earlier?" test.
2022-01-06 - start of work on reload4j project
Launch of the reload4j project. Work has begun on the web-site, and source repositories.