Hello all,
I am happy to announce the release of logback version 1.3.0-alpha13. It
requires slf4j-api version 2.0.0-alpha5 or later.
Starting with this release, future logback releases will be
reproducible. This means that anyone checking out the code corresponding
to the release version from github and building that local copy, will
get obtain an identical binary to the binary found on Maven central.
Note that due to issue MJAR-275 with the module-info.java produced in
earlier java versions, reproducible builds require Java 18.
As of version 1.3.0-alpha13, after a Model is created from XML, Model
processing is independent of any XML related code. This is was the last
major hurdle to implementing new features in the 1.3.x series.
For benchmarking figures please see:
http://logback.qos.ch/performance.html
This version supports the fluent-API introduced in SLF4J
2.0.x. It also supports Jigsaw/Java9 modularization.
Joran, logback's configuration system, has been rewritten to use
an internal representation model which can be processed
separately. Given the breadth of the changes, support for
SiftingAppender and Groovy configuration have been dropped
temporarily.
No new features are available in this version. Future releases
will gradually introduce new features made possible by Joran
representation model.
The 1.3.x series requires Java 8 at runtime. If you wish to build
logback from source, you will need Java 9. Reproducible builds require
Java 18.
Donations and sponsorship
You can also support SLF4J/logback/reload4j projects via donations and
sponsorship. We thank our current supporters and sponsors for their
continued contributions.
Sponsorship link: https://github.com/sponsors/qos-ch?o=esb
Announcement mailing list:
You can receive SLF4J/logback/reload4j related announcements by
subscribing QOS.ch announce list, please visit the following URL.
http://www.qos.ch/mailman/listinfo/announce
Enjoy,
--
Ceki Gülcü
Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch
Hello all,
I am very happy to announce the immediate availability of SLF4J
version 1.7.34.
In this release, the "slf4j-log4j12" artifact automatically instructs
Maven to use the "slf4j-reload4j" artifact instead. As you might have
guessed, the "slf4j-reload4j" binding delegates log processing to the
reload4j logging framework.
The reload4j project is a fork of Apache log4j version 1.2.17 with the
goal of fixing pressing security issues. It is intended as a drop-in
replacement for log4j version 1.2.17. By drop-in, we mean the
replacement of log4j.jar with reload4j.jar in your build with no source
code changes in .java files being necessary.
Reload4j project web site: https://reload4j.qos.ch/
If you are using slf4j-log4j12 as your binding of choice, please
consider using slf4j-reload4j instead. In SLF4J version 1.7.34 and
later, this redirection is seamless and automatic.
Please refer to the the news page for more details on this release:
http://www.slf4j.org/news.html
The relevant artifacts should hit the Maven central repository within
the next few hours.
The 1.7.x series:
The Simple Logging Facade for Java or (SLF4J) serves as a simple facade
or abstraction for various logging frameworks, e.g. java.util.logging,
reload4j and logback, allowing the end user to plug in the
desired logging framework at deployment time.
Binary compatibility:
Mixing mixing different versions of slf4j-api.jar and SLF4J binding
can cause problems. For example, if you are using slf4j-api-1.7.1.jar,
then you should also use slf4j-simple-1.7.1.jar, using
slf4j-simple-1.5.5.jar will not work.
>From the client's perspective all versions of slf4j-api are
compatible. Client code compiled with slf4j-api-N.jar will run
perfectly fine with slf4j-api-M.jar for any N and M. You only need to
ensure that the version of your binding matches that of the
slf4j-api.jar. You do not have to worry about the version of
slf4j-api.jar used to compile a given dependency in your project. You
can always use *any* version of slf4j-api.jar, and as long as the
version of slf4j-api.jar and its binding match, you should be fine.
Downloading SLF4J:
You can download SLF4J, including full source code, class files and
documentation from Maven central under the "org.slf4j" groupId.
Announcement mailing list:
You can receive SLF4J related announcements by subscribing to the
SLF4J announce mailing list. To subscribe to QOS.ch announce list,
please visit the following URL.
http://www.qos.ch/mailman/listinfo/announce
Donations and sponsorship
You can also support SLF4J/logback/reload4j projects via
donations and sponsorship. We thank our current supporters and
sponsors for their continued contributions.
https://github.com/sponsors/qos-ch
Enjoy,
--
Ceki Gülcü
Please contact support(at)qos.ch for donations, sponsorship or support
contracts related to SLF4J/logback/reload4j projects.
Hello all,
I am very happy to announce the immediate availability of reload4j
version 1.2.18.2. It is intended as a drop-in replacement for log4j
version 1.2.17. By drop in, we mean the replacement of log4j.jar with
reload4j.jar in your build with no source code changes in .java files
being necessary.
Reload4j has the following Maven coordinates:
<dependency>
<groupId>ch.qos.reload4j</groupId>
<artifactId>reload4j</artifactId>
<version>1.2.18.2</version>
</dependency>
Reload4j was built using Java 8 but targets Java 1.5.
Version 1.2.8.2 corrects the following issues:
The unit tests were updated but no actual code was changed except for
the removal of NTEventAppender and the correction of the following issues:
- Standardize and sanitize the build
- CVE-2021-4104 (JMSAppender) - fixed in 1.2.18.0 by hardening
- CVE-2022-23302 (JMSSink) - fixed in 1.2.18.1 by hardening
- CVE-2019-17571 (SocketServer) - fixed in 1.2.18.0 by hardening
- CVE-2020-9493 CVE-2022-23307 (Chainsaw) - fixed in 1.2.18.1 by
hardening
- CVE-2022-23305 (JDBCAppender) - fixed in 1.2.18.1 by hardening
- broken MDC in newer JDKs - fixed in 1.2.18.0
Thanks to the remarkable work of Vladimir Sitnikov, JDBCAppender now
interprets the SQL expression on the fly so as to insert new events
using PreparedStartement instances. Note that the table column types are
restricted to those types compatible with Java's String.
Project web-site: https://reload4j.qos.ch/
Source repository: https://github.com/qos-ch/reload4j
With release 1.2.18.2 we have addressed the most pressing
issues regarding log4j 1.x vulnerabilities.
As both log4j 1.x and reload4j do *not* offer a message lookup
mechanism, they did not suffer from the notorious log4shell vulnerability.
Donations and sponsorship
You can also support SLF4J/logback/reload4j projects via donations and
sponsorship. We thank our current supporters and sponsors for their
continued contributions.
Sponsorship link: https://github.com/sponsors/qos-ch?o=esb
Announcement mailing list:
You can receive SLF4J/logback/reload4j related announcements by
subscribing QOS.ch announce list, please visit the following URL.
http://www.qos.ch/mailman/listinfo/announce
Enjoy,
--
Ceki Gülcü
Hello all,
I am very happy to announce the immediate availability of reload4j
version 1.2.18.1. It is intended as a drop-in replacement for log4j
version 1.2.17. By drop in, we mean the replacement of log4j.jar with
reload4j.jar in your build with no source code changes in .java files
being necessary.
Reload4j has the following Maven coordinates:
<dependency>
<groupId>ch.qos.reload4j</groupId>
<artifactId>reload4j</artifactId>
<version>1.2.18.1</version>
</dependency>
Reload4j was built using Java 8 but targets Java 1.5.
Version 1.2.8.0 and 1.2.18.1 correct the following issues:
The unit tests were updated but no actual code was changed except for
the removal of NTEventAppender and the correction of the following issues:
- Standardize and sanitize the build
- CVE-2021-4104 (JMSAppender) - fixed in 1.2.18.0 by hardening
- CVE-2022-23302 (JMSSink) - fixed in 1.2.18.1 by hardening
- CVE-2019-17571 (SocketServer) - fixed in 1.2.18.0 by hardening
- CVE-2020-9493 CVE-2022-23307 (Chainsaw) - fixed in 1.2.18.1 by
hardening
- CVE-2022-23305 (JDBCAppender) - fixed in 1.2.18.1 by *removal*
- broken MDC in newer JDKs - fixed in 1.2.18.0
In the absence of a robust and well tested countermeasure, JDBCAppender
has been removed to prevent SQL injection attacks. We have a proposed
countermeasure which may yet salvage JDBCAppender.
https://github.com/qos-ch/reload4j/pull/26
Project web-site: https://reload4j.qos.ch/
Source repository: https://github.com/qos-ch/reload4j
With release 1.2.18.0 and 1.2.18.1 we have addressed the most pressing
issues regarding log4j 1.x vulnerabilities.
As both log4j 1.x and reload4j do *not* offer a message lookup
mechanism, they did not suffer from the notorious log4shell vulnerability.
Donations and sponsorship
You can also support SLF4J/logback/reload4j projects via donations and
sponsorship. We thank our current supporters and sponsors for their
continued contributions.
Sponsorship link: https://github.com/sponsors/qos-ch?o=esb
Announcement mailing list:
You can receive SLF4J/logback/reload4j related announcements by
subscribing QOS.ch announce list, please visit the following URL.
http://www.qos.ch/mailman/listinfo/announce
Enjoy,
--
Ceki Gülcü
Hello all,
I am very happy to announce the immediate availability of SLF4J
version 1.7.33.
This release adds the "slf4j-reload4j" module which delegates logging
processing to the reload4j logging framework.
The reload4j project is a fork of Apache log4j version 1.2.17 with the
goal of fixing pressing security issues. It is intended as a drop-in
replacement for log4j version 1.2.17. By drop-in, we mean the
replacement of log4j.jar with reload4j.jar in your build with no source
code changes in .java files being necessary.
Reload4j project web site: https://reload4j.qos.ch/
If you are using slf4j-log4j12 as your binding of choice, please
consider using slf4j-reload4j instead.
Please refer to the the news page for more details on this release:
http://www.slf4j.org/news.html
The relevant artifacts should hit the Maven central repository within
the next few hours.
The 1.7.x series:
The Simple Logging Facade for Java or (SLF4J) serves as a simple facade
or abstraction for various logging frameworks, e.g. java.util.logging,
log4j 1.x, reload4j and logback, allowing the end user to plug in the
desired logging framework at deployment time.
Binary compatibility:
Mixing mixing different versions of slf4j-api.jar and SLF4J binding
can cause problems. For example, if you are using slf4j-api-1.7.1.jar,
then you should also use slf4j-simple-1.7.1.jar, using
slf4j-simple-1.5.5.jar will not work.
>From the client's perspective all versions of slf4j-api are
compatible. Client code compiled with slf4j-api-N.jar will run
perfectly fine with slf4j-api-M.jar for any N and M. You only need to
ensure that the version of your binding matches that of the
slf4j-api.jar. You do not have to worry about the version of
slf4j-api.jar used to compile a given dependency in your project. You
can always use *any* version of slf4j-api.jar, and as long as the
version of slf4j-api.jar and its binding match, you should be fine.
Downloading SLF4J:
You can download SLF4J, including full source code, class files and
documentation from Maven central under the "org.slf4j" groupId.
Announcement mailing list:
You can receive SLF4J related announcements by subscribing to the
SLF4J announce mailing list. To subscribe to QOS.ch announce list,
please visit the following URL.
http://www.qos.ch/mailman/listinfo/announce
Donations and sponsorship
You can also support SLF4J/logback/reload4j projects via
donations and sponsorship. We thank our current supporters and
sponsors for their continued contributions.
https://github.com/sponsors/qos-ch
Enjoy,
--
Ceki Gülcü
Please contact support(at)qos.ch for donations, sponsorship or support
contracts related to SLF4J/logback/reload4j projects.
Hello all,
I am very happy to announce the immediate availability of reload4j
version 1.2.8.0. It is intended as a drop-in replacement for log4j
version 1.2.17. By drop in, we mean the replacement of log4j.jar with
reload4j.jar in your build with no source code changes in .java files
being necessary.
Reload4j has the following Maven coordinates:
<dependency>
<groupId>ch.qos.reload4j</groupId>
<artifactId>reload4j</artifactId>
<version>1.2.18.0</version>
</dependency>
Reload4j was built using Java 8 but targets Java 1.5.
Version 1.2.8.0 corrects the following issues:
The unit tests were updated but no actual code was changed except for
the removal of NTEventAppender and the correction of the following issues:
[REL-1] Standardize and sanitize project folder structure
[REL-2] CVE-2021-4104 (JMSAppender vulnerability)
[REL-3] CVE-2019-17571 (de-serialization vulnerability in SocketServer
aka CVE-2019-17571)
[REL-4] MDC breakage in newer JDKs
Project web-site: https://reload4j.qos.ch/
Source repository: https://github.com/qos-ch/reload4j
Jira: https://jira.qos.ch/
With release 1.2.8.0 we have addressed the most pressing issues
regarding log4j 1.x vulnerabilities.
Donations and sponsorship
You can also support SLF4J/logback/reload4j projects via donations and
sponsorship. We thank our current supporters and sponsors for their
continued contributions.
Sponsorship link: https://github.com/sponsors/qos-ch?o=esb
Announcement mailing list:
You can receive SLF4J/logback/reload4j related announcements by
subscribing QOS.ch announce list, please visit the following URL.
http://www.qos.ch/mailman/listinfo/announce
Enjoy,
--
Ceki Gülcü
