[2.1.x] Upgrade to Log4j2 2.18.0 (was: 2.17.3)

[grgrzybek]

https://www.mail-archive.com/announce@apache.org/msg07133.html

[grgrzybek]

Held because of https://issues.apache.org/jira/browse/LOG4J2-3424

[grgrzybek]

Waiting for 2.17.3

[grgrzybek]

Waiting for 2.18.0 (fix version changed in https://issues.apache.org/jira/browse/LOG4J2-3424)

[ecki]

Is the “was 2.17.3” in title correct? The current version is 2.17.2. The .3 was I guess the expected fixed version, but maybe that part of the evolution of this bug is not very clear to outsiders?

btw, anybody know about security issues with 2.17.1, Apache logging does not mention any?

[grgrzybek]

Is the “was 2.17.3” in title correct?

Yes, it is :) Because I created this issue to not forget the upgrade when 2.17.3 is released. And I waited for 2.17.3 because of https://issues.apache.org/jira/browse/LOG4J2-3424 which was initially targetted to be fixed in 2.17.3

The current version is 2.17.2. The .3 was I guess the expected fixed version, but maybe that part of the evolution of this bug is not very clear to outsiders?

Yeah - it may be a bit confusing, but I hope the confusion is gone once it's fixed.

btw, anybody know about security issues with 2.17.1, Apache logging does not mention any?

I don't recall any. See https://www.mail-archive.com/announce@apache.org/msg07133.html for details.

[ecki]

Agreed, looks only like “hardening” (turning off script handler and remote loading)

[grgrzybek]

Log4j2 2.18.0 is released: https://www.mail-archive.com/announce@apache.org/msg07416.html I'll update Pax Logging tomorrow.

[grgrzybek]

Due to https://issues.apache.org/jira/browse/LOG4J2-3427, org.apache.logging.log4j.util.PaxPropertySource is not loaded, breaking many Log4j2 integration tests...

[grgrzybek]

Due to https://issues.apache.org/jira/browse/LOG4J2-3366, I had to add property names to org.apache.logging.log4j.util.PaxPropertySource and reimplement it a bit.