2.22.0

This releases provides a CycloneDX Software Bill of Materials (SBOM) along with each artifact and contains bug fixes addressing issues in the JPMS & OSGi infrastructure overhauled in 2.21.0, dependency updates, and some other minor fixes and improvements.

CycloneDX Software Bill of Materials (SBOM)

This is the first Log4j release that provides a CycloneDX Software Bill of Materials (SBOM) along with each artifact. Generated SBOMs are attached as artifacts with cyclonedx classifier and XML extensions, that is, <artifactId>-<version>-cyclonedx.xml. They contain vulnerability-assertion references to a CycloneDX Vulnerability Disclosure Report (VDR) that Apache Logging Services uses for all projects it maintains. This VDR is accessible through the following URL: https://logging.apache.org/cyclonedx/vdr.xml[]

SBOM generation is streamlined by logging-parent, see its website for details.

Changed

• Change the order of evaluation of FormattedMessage formatters. Messages are evaluated using java.util.Format only if they don't comply to the java.text.MessageFormat or ParameterizedMessage format. (#1223)
• Change default encoding of HTTP Basic Authentication to UTF-8 and add log4j2.configurationAuthorizationEncoding property to overwrite it. (#1970)
• Update com.fasterxml.jackson:jackson-bom to version 2.16.0 (#1974)
• Update com.github.luben:zstd-jni to version 1.5.5-10 (#1940)
• Update com.google.guava:guava to version 32.1.3-jre (#1875)
• Update io.netty:netty-bom to version 4.1.101.Final (#1960)
• Update org.eclipse.persistence:org.eclipse.persistence.jpa to version 2.7.13 (#1900)
• Update org.fusesource.jansi:jansi to version 2.4.1 (#1907)
• Update org.mongodb:bson to version 4.11.1 (#1957)
• Update org.springframework:spring-framework-bom to version 5.3.30
• Update org.springframework.boot:spring-boot to version 2.7.17 (#1874)
• Update org.springframework:spring-framework-bom to version 5.3.31 (#1973)
• Update org.zeromq:jeromq to version 0.5.4 (#1878)

Removed

• Removed unused FastDateParser which was causing unnecessary heap overhead (LOG4J2-3672, #1848)

Fixed

• Fix MDC pattern converter causing issues for %notEmpty (#1922)
• Export missing OSGi & JPMS modules in log4j-layout-template-json and log4j-1.2-api (#1895)
• Fix spring-test dependency scope change (LOG4J2-3675)
• Fix JPMS descriptors causing jlink issues (#1896)
• Add missing Implementation- and Specification- entries to MANIFEST.MF (implemented by logging-parent version 10.3.0 update) (#1923)
• Fix NotSerializableException thrown when Logger is serialized with a ReusableMessageFactory (#1884)

2.21.1

This patch release contains only the fix of a log4j-jcl bug that prevents it from connecting with commons-logging.

The Log4j 2.21.1 API, as well as the other artifacts, maintains binary compatibility with the previous release.

Apache Log4j 2.21.1 requires Java 8 to run.
The build requires JDK 11 and generates reproducible binaries.

For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, get support, or suggestions for improvement, see the Apache Log4j 2 website.

Fixed

• Fixes the Apache Commons Logging (JCL) bridge: log4j-jcl. (#1865)

2.21.0

This release primarily focuses on enhancements to our OSGi and JPMS support and contains several bug fixes.
It will be the first release built and signed by the CI using the ASF Logging Services Release Manager GPG key,
which is shared in KEYS.

The Log4j 2.21.0 API, as well as the other artifacts, maintains binary compatibility with the previous release.

Apache Log4j 2.21.0 requires Java 8 to run.
The build requires JDK 11 and generates reproducible binaries.

For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, get support, or suggestions for improvement, see the Apache Log4j 2 website.

OSGi changes

All the published artifacts are OSGi bundles or fragments.

This release introduces a change in the bundle symbolic names to allow them to function as JPMS module name: all hyphens - present in the bundle names of previous releases were replaced by dots ..

JPMS changes

All the published artifacts have been migrated from automatic modules to named JPMS modules.
All packages marked as private in the Javadoc are not exported.

The module name of four bridges (log4j-slf4j-impl, log4j-slf4j2-impl, log4j-to-jul and log4j-to-slf4j) have been changed to adhere to the same convention as the OSGi bundle names.

Added

• Added marker parent support to JsonTemplateLayout (#1381)
• Added ZStandard compression support (#1508, #1514)
• Added a warning for incorrect syntax of highlighting styles (#1545, #1637)

Changed

• Open FileExtension methods to allow their usage in custom RolloverStrategys (#1365, #1683)
• Bumped the minimum Java version required for the build to JDK 11. Runtime requirements remain unchanged. (#1369)
• Set the default minLevel and maxLevel of LevelRangeFilter to OFF and ALL, respectively (#1503)
• Removed additional isFiltered checks in AsyncLoggerConfig (#1550)
• Use Java version-specific warnings in StackLocator (#1760)
• Started logging a status error event instead of an NPE in OsgiServiceLocator.loadServices(Class, Lookup, boolean) when a bundle has no valid BundleContext for a service type
• Implemented a CI-based release process
• Update Eclipse Angus Activation to version 2.0.1 (#1591)
• Update Eclipse Angus Mail to version 2.0.2 (#1591)
• Update com.datastax.cassandra:cassandra-driver-core to version 3.11.5 (#1591)
• Update Apache Cassandra to version 3.11.16 (#1591)
• Update Apache Commons Compress to version 1.24.0 (#1591)
• Update Apache Commons CSV to version 1.10.0 (#1591)
• Update Jackson to version 2.15.2 (#1591)
• Update Jakarta Activation API to version 2.1.2 (#1591)
• Update Jakarta Mail API to version 2.1.2 (#1591)
• Update JCTools to version 4.0.1 (#1591)
• Update Apache Kafka to version 3.4.0 (#1591)
• Update Kubernetes client to version 5.12.4 (#1591)
• Update org.mongodb:mongodb-driver-core to version 4.10.2 (#1591)
• Update io.netty:netty-bom to version 4.1.97 (#1591)
• Update Spring Boot to version 2.7.15 (#1591)
• Update Spring Framework to version 5.3.29 (#1591)
• Update Tomcat JULI to version 10.0.27 (#1591)
• Update Woodstox to version 6.5.1 (#1591)

Removed

• Moved log4j-jmx-gui to its own repository along with its own release cycle

Fixed

• Added validation to rolling file manager path conditions (#1231)
• Adapted the OSGi metadata of log4j-to-slf4j to work with SLF4J 1 and 2. To achieve that used a version range of [1.7,3) for the imported SLF4J packages. (#1232)
• Fixed Javadoc failures (#1275, #1753)
• Removed locale-dependent toLowerCase/toUpperCase calls (#1281)
• Redirected old /<module>/apidocs URLs (broken in 2.20.0) to /javadoc/<module> (#1284)
• Added environment variable arbiter (#1312)
• Fixed logging of java.sql.Date objects by appending it before Log4J tries to call java.util.Date.toInstant() on it (#1366)
• Adapted the OSGi metadata of log4j-api, log4j-core, log4j-slf4j-impl and log4j-slf4j2-impl to activate the bundle when it is accessed. To achieve that set the Bundle-ActivationPolicy to lazy for the log4j bundles. (#1367)
• Avoided using released objects in StackTraceStringResolver of JsonTemplateLayout (#1380)
• Added missing setter for connectionStringSource in MongoDb4Provider builder (#1389)
• Fixed NPE in PluginElementVisitor (#1391)
• Added columnType as alias for the column mapping type attribute (#1405)
• Restored Log4jMarker visibility in SLF4J adapters (#1414)
• Fixed buffer size in Log4jFixedFormatter date time formatter (#1418)
• Fixed the propagation of synchronous action failures in RollingFileManager and FileRenameAction (#1445, #1549)
• Fixed RollingFileManager to propagate failed synchronous actions correctly (#1445)
• Replaced the usage of System.out in StackLocator for warnings with System.err (#1484)
• Fixed concurrent date-time formatting issue in PatternLayout (#1485)
• Fixed runtime dependencies documentation (#1530)
• Allowed to override FQCN in Log4jEventBuilder by implementing CallerBoundaryAware (#1533)
• Migrated MongoDB tests to JUnit 5 and Flapdoodle Embedded MongoDB 4 (#1589)
• Rewrote message parameter formatter with improved escape handling (#1626)
• Improved formatting and serialization of StackTraceElement on JDK 9+ (#1640)
• Fixed MemoryMappedFileAppender buffer unmapping on JRE 9+ (#1646)
• Fixed rollover strategy in the Log4j 1.x compatibility layer (#1650)
• Removed incorrect mention of base64 lookup and improve the rest of the lookup manual (#1681, LOG4J2-3504)
• Implemented LocationAware for JsonTemplateLayout, since this was causing location not being passed to underlying appenders (#1692)
• Added support for long values in MongoDb 4 appender to configure collectionSize (#1747)
• Only shutdown Log4j after last Log4jServletContextListener is executed (#1782)
• Allowed using Spring Arbiter without a Spring environment (#1783)
• Fixed context data loss if <AsyncLogger> components are used with an all async logger context (#1786)
• Fixed JsonTemplateLayout NPE thrown on custom log levels (#1805)
• Improved Log4j-config.xsd schema LOG4J2-170
• Fixed NPE in ContextSelector (LOG4J2-3217, #1538)
• Avoided allocating ThreadLocals in AbstractLogger when they are disabled, since this was causing memory leaks due to retained reference to class loaders in web applications LOG4J2-3657
• Fixed %notEmpty directive of PatternLayout for empty MDC/NDC inputs LOG4J2-3660
• Fixed file descriptor leak on Tomcat LOG4J2-3663
• Ensured FileOutputStream is closed in CommonsCompressAction.execute()