reload4j news

Please note that you can receive reload4j related announcements by subscribing to the QOS.ch announce mailing list.


2022-05-17 - Release of reload4j 1.2.21

• The binary compatibility issue between earlier versions of reload4j and slf4j-log4j12 has been fixed. Although it is recommended that you use slf4j-reload4j as the preferred adapter for the slf4j/reload4j combination, with reload4j version 1.2.21 and later you can freely mix any version of slf4j-log4j12, if you have to.

The binary of this version can reproduced by checking out the tag v_1.2.21 from the source code repository (github). This release was built using Java "8" build 1.8.0_311-b11 under Debian 9.5.

File Checksum Signature
reload4j-1.2.21.jar reload4j-1.2.21.jar.sha1 reload4j-1.2.21.jar.asc

2022-04-05 - Release of reload4j 1.2.20

• For enabled logging statements, the performance of iterating on appenders attached to a logger has been significantly improved.

The binary of this version can reproduced by checking out the tag v_1.2.20 from the source code repository (github). Release built using Java "8" build 1.8.0_311-b11 under Windows 11.

2022-02-08 - Release of reload4j 1.2.19

Starting with 1.2.18.5, reload4j releases are reproducible. By reproducible we mean that anyone checking out the code corresponding to the release version from source code repository and building that local copy, will obtain an identical binary to the published binary.

• Given that the 4th position in the release number may be interpreted as an unnumbered qualifier, from now on, reload4j releases will have 3 positions and if needed a real qualifier at the 4th position.

• The Bundle-SymbolicName entry in MANIFEST.MF is now set to org.apache.log4j. In addition, the superflous Bundle-RequiredExecutionEnvironment entry was removed. See OSGi spec 3.4.1. This fixes the last reported kinks in the OSGi bundle manifest file.

• Added missing default java Manifest entries such as "Implementation-Title", "Implementation-Vendor" and "Implementation-Version" are included in MANIFEST.MF. This solves issue 37.

• Fixed test cases so that no folders other than those under the target folder are modified. This fixes issue 15.


2022-02-03 - Release of reload4j 1.2.18.5

• Starting with reload4j 1.2.18.5, reload4j releases will be reproducible. By reproducible we mean that anyone checking out the code corresponding to the release version from github and building that local copy, will obtain an identical binary to the binary found on Maven central.

Fix error message in case of missing setFeature function in older DocumentBuilderFactory implementations. This fixes issue 34.


2022-01-26 - Release of reload4j 1.2.18.4

• Fixed OSGi manifest issues. Many thanks to Grzegorz Grzybek for providing the relevant patch.

• Removed org.apache.log4j.jmx package as it was marked as deprecated and its use discouraged.


2022-01-24 - Release of reload4j 1.2.18.3

• XML entity injection attack was fixed by hardening

CVE-2020-9488 (SMTPAppender) fixed by adding checkServerIdentity option. This option, enabled by default, will check that the certificate presented by the server matches SMTPHost. While this option is 'true' by default, it is only active if the SMTPProtocol is "smtps."

• Removed ORO package dependency in tests.

• Added missing OSGi bundle information.


2022-01-21 - Release of reload4j 1.2.18.2

CVE-2022-23305 (JDBCAppender) - fixed by using JDBC PreparedStatement which are invulnerable to SQL injection.

Thanks to the remarkable work of Vladimir Sitnikov JDBCAppender now interprets the SQL expression on the fly so as to insert new events using PreparedStartement instances. Note that the table column types are restricted to those types compatible with Java's String.

• The LF5 package was removed with no replacement.


2022-01-19 - Release of reload4j 1.2.18.1

CVE-2022-23302 (JMSSink) - fixed by hardening the component.

CVE-2020-9493 and CVE-2022-23307 (Chainsaw) - fixed by hardening the component.

CVE-2022-23305 (JDBCAppender) - fixed in 1.2.18.1 by removal

In the absence of a robust and well tested countermeasure, JDBCAppender has been removed to prevent SQL injection attacks. We have a proposed countermeasure which will may yet salvage JDBCAppender. See PR 26.


2022-01-12 - Release of reload4j 1.2.18.0

First release of reload4j fixing the following issues:

• Standardize and sanitize the build.

CVE-2021-4104 (JMSAppender) fixed by hardening the components

CVE-2019-17571 (SocketServer) - fixed by hardening the component.

• Under Java 9 and later, the MDC implementation in log4j incorrectly assumed that the runtime environment was Java 1.1. This caused MDC functinality to be disabled entirely. This issue was fixed by removing the silly "are we running under Java 1.1 or earlier?" test.


2022-01-06 - start of work on reload4j project

Launch of the reload4j project. Work has begun on the web-site, and source repositories.