[ANN] Pax Logging 2.1.0, 2.0.15, 1.12.0, 1.11.14 and 1.10.10 released (5 versions)

1 view
Skip to first unread message

Grzegorz Grzybek

unread,
Jan 26, 2022, 6:05:32 AM1/26/22
to ops4j-ann...@googlegroups.com, Karaf Dev
Hello

Due to recently discovered Log4j1 CVEs:
  • CVE-2021-4104 - JMSAppender + JNDI
  • CVE-2022-23302 - JMSSink.main() + JNDI
  • CVE-2022-23305 - JDBCAppender SQLInjection
  • CVE-2022-23307 - Chainsaw component
And due to emerging Reload4j project[1] which is a fork of original ASF's Log4j project (forked by Ceki Gülcü - author of Log4j1 and Logback) we've decided to release updated versions of Pax Logging project itself.

There are two completely new minor releases - 1.12.x and 2.1.x and they have two goals:
  • be binary/API compatible with (respectively) 1.11.x and 2.0.x branches
  • ship only pax-logging-logback and pax-logging-log4j2 "backends" (no more log4j1 implementation)
On the other hand, branches 1.10.x, 1.11.x and 2.0.x do not remove any features and they have only one goal:
  • switch from log4j:log4j to ch.qos.reload4j:reload4j dependencies
All 5 releases in general preserve one feature:
  • they still contain log4j1 API - pax-logging-api still exports org.apache.log4j{.config,.helpers,.or,.pattern,.spi,.xml} packages but as always the classes like org.apache.log4j.Logger only delegate to underlying Pax Logging machinery (thus delegating to selected backend - like Logback or Log4j2)
So all 5 releases are natural replacements of previous versions - even if your other bundles require Log4j1 API packages. Simply in 2.1.0 and 1.12.0 you won't find Log4j1's JMSAppender, JDBCAppender or actually any other Log4j1 appender or JNDI/LDAP code.

All the release notes can be found using the following links:
kind regards
Grzegorz Grzybek
===

Grzegorz Grzybek

unread,
Feb 24, 2022, 4:16:01 AM2/24/22
to ops4j-ann...@googlegroups.com, Karaf Dev
Hello

I'd like to announce the release of 4 Pax Logging versions with two version updates:
  • SLF4J 1.7.36 (not much affecting Pax Logging - just a version update)
  • Reload4J 1.2.19 (aligning to latest upstream version) in 1.11.15 and 2.0.16 (the 1.12.x and 2.1.x branches do not contain log4j1 backend)
And two improvements:
  • Allowing Log4j2's JsonTemplateLayout (JSON without Jackson)
  • "org.ops4j.pax.logging.eventAdminEnabled" system/context property that allows disabling of EventAdmin integration - even if EventAdmin is mandatory in org.osgi.service.log specification (if available), it greatly affects performance (even on async logging), so this property should increase performance. See the github issue[1]

All the release notes can be found using the following links:
kind regards
Grzegorz Grzybek
===

Grzegorz Grzybek

unread,
Mar 10, 2022, 7:01:39 AM3/10/22
to ops4j-ann...@googlegroups.com, Karaf Dev
Hello

I'd like to announce the release of 4 Pax Logging versions with one version update:
  • Logback 1.2.11
One improvement:
  • "org.ops4j.pax.logging.logReaderEnabled" system/context property that allows disabling of org.osgi.service.log.LogReaderService registration. While it's a bit against the specification, it speeds up logging process (no more synchronized access to shared LinkedList.
And one bug fix:
  • NPE when MDC contains null value and EventAdmin integration is enabled
All the release notes can be found using the following links:

Grzegorz Grzybek

unread,
Jul 5, 2022, 9:17:51 AM7/5/22
to ops4j-ann...@googlegroups.com, Karaf Dev
Hello

I'd like to announce the release of Pax Logging 2.1.3 with just one update:
  • Log4j2 2.18.0
Updating to 2.18.0 helped with one CCE problem related to JeroMqAppender.

I'd like to mention that lines 2.0.x and 1.11.x are no longer a priority because they include log4j1 "backend".
And line 1.12.x without log4j1 backend is based on OSGi CMPN R6 which is already quite old.

So if you can, please migrate to 2.1.x. If you can't, please let us know ;)

kind regards
Grzegorz Grzybek

Grzegorz Grzybek

unread,
Jul 5, 2022, 9:30:02 AM7/5/22
to d...@karaf.apache.org, ops4j-ann...@googlegroups.com
Hello


wt., 5 lip 2022 o 15:23 Eric Lilja <mindc...@gmail.com> napisał(a):
Great, thanks!

Question: Will Pax Exam be updated to use this version, it uses an ancient
version doesn't it?

I think it does. I never released Pax Exam versions (though I did one deadlock fix I guess). In all other Pax projects I worked, I used Pax Exam in "custom mode", which allowed me to use any Pax Logging version I wanted :) (check Pax Web, Pax JDBC, Pax JMS, Pax Transx).
Pax Logging itself is also tested using Pax Exam ;)

But answering your question, I think there should be no problem upgrading Pax Exam itself.

regards
Grzegorz Grzybek
 

- Eric L


On Tue, Jul 5, 2022 at 3:18 PM Grzegorz Grzybek <gr.gr...@gmail.com>
wrote:

> Hello
>
> I'd like to announce the release of Pax Logging 2.1.3 with just one update:
>
>    - Log4j2 2.18.0

>
> Updating to 2.18.0 helped with one CCE problem related to JeroMqAppender.
>
> I'd like to mention that lines 2.0.x and 1.11.x are no longer a priority
> because they include log4j1 "backend".
> And line 1.12.x without log4j1 backend is based on OSGi CMPN R6 which is
> already quite old.
>
> So if you can, please migrate to 2.1.x. If you can't, please let us know ;)
>
> The release notes can be found here:
>
>    - 2.1.3:

Grzegorz Grzybek

unread,
Jul 6, 2022, 3:57:19 AM7/6/22
to ops4j-ann...@googlegroups.com, Karaf Dev
Hello

I'd like to announce the release of Pax Logging 2.0.18 with just one update:
  • Log4j2 2.18.0
This is simply a follow up of Pax Logging 2.1.3 release. Pax Logging 2.0.x is exactly the same as 2.1.x, but includes legacy log4j1 backend.

The release notes can be found here:

Grzegorz Grzybek

unread,
Aug 29, 2022, 7:00:30 AM8/29/22
to ops4j-ann...@googlegroups.com, Karaf Dev
Hello

First - to lower some confusion about Pax Logging versions, I've created a handy (I hope) https://github.com/ops4j/org.ops4j.pax.logging#versions page.

Just to refresh some dependencies, I've released 4 versions of minor releases with reload4j dependency upgrade:
  • 2.1.4 - R7 without Log4j1 backend
  • 2.0.19 - R7 with Log4j1 backend
  • 1.12.3 - R6 without Log4j1 backend
  • 1.11.17 - R6 with Log4j1 backend
Additionally, there's a new release 2.2.0, which exports "org.osgi.service.log" package with version 1.5 (OSGi R8).

All the release notes can be found using the following links:

Grzegorz Grzybek

unread,
Jan 9, 2023, 4:09:45 AM1/9/23
to OPS4J, ops4j-ann...@googlegroups.com, Karaf Dev
Hello

First - I've updated https://github.com/ops4j/org.ops4j.pax.logging#versions page which now marks only 2 versions as active. Here's more detailed explanation:
  • versions 1.9.x and 1.10.x are pre-refactoring versions without any real integration tests
  • version 1.11.x and 1.12.x are both based on OSGi CMPN Log service 1.3, but version 1.11.x includes Log4j1 backend. I've decided to keep and maintain only version 1.12.x, because we don't want to use Log4j1 backend anymore. The Log4j1 API is still available though. So please use 1.12.x for Felix 5.6 / Karaf 4.2
  • version 2.0.x (with Log4j1 backend) and 2.1.x (without Log4j1 backend) are based on OSGi CMPN Log service 1.4 and because Log service 1.5 is identical, I've decided to keep and maintain only version 2.2.x
The most important change in 1.12.4 and 2.2.1 is related to SLF4J 2.x API support. Actually the interfaces didn't change since version 1.7.x, but there was a change with discovery of logging backend. Instead of static org.slf4j.impl.StaticLoggerBinder, SLF4J 2 now relies on /META-INF/services/org.slf4j.spi.SLF4JServiceProvider which is now providing org.ops4j.pax.logging.slf4j.PaxLoggingSLF4JServiceProvider service.

From the API point of view nothing has changed except that pax-logging-api now exports `org.slf4j` package with version 2.0.6 (in addition to version 1.4, 1.5, 1.6 and 1.7). That's important for OSGi bundles compiled with maven-bundle-plugin (or bnd-maven-plugin) with default configuration which would generate this import header:

Import-Package: org.slf4j;version="[2.0,3.0)".

This would cause problems before Pax Logging 2.2.1 and 1.12.4.

All the release notes can be found using the following links:

Grzegorz Grzybek

unread,
Feb 24, 2023, 3:12:52 AM2/24/23
to OPS4J, ops4j-ann...@googlegroups.com, Karaf Dev
Hello

After previous more important release of Pax Logging 2.2.1 and 1.12.4 where SLF4J 2.0 support was added, I'd like to announce minor releases where only Log4j2 version was upgraded to 2.20.0.

kind regards
Grzegorz Grzybek

Grzegorz Grzybek

unread,
Jul 25, 2023, 6:40:29 AM7/25/23
to OPS4J, ops4j-ann...@googlegroups.com, Karaf Dev
Hello

I'd like to announce minor releases of Pax Logging 1.12.6 (OSGi R6) and 2.2.3 (OSGi R8). These releases include minor version upgrades:
  • reload4j 1.2.25
  • Tomcat JULI 9.0.78
  • Logback 1.3.8
Also Pax Logging 2.2.3 contains a fix related to duplicate "{}" placeholder replacement (thanks Rastislav Papp for the report!)

The short release notes can be found using the following links:

Grzegorz Grzybek

unread,
Sep 15, 2023, 5:34:37 AM9/15/23
to OPS4J, ops4j-ann...@googlegroups.com, Karaf Dev
Hello

I'd like to announce minor releases of Pax Logging 1.12.7 (OSGi R6) and 2.2.4 (OSGi R8).

There's only one NPE fix in pax-logging-api bundle.

The short release notes can be found using the following links:

Grzegorz Grzybek

unread,
Oct 18, 2023, 6:50:05 AM10/18/23
to Karaf Dev, ops4j-ann...@googlegroups.com, OPS4J
Hello

I'd like to announce minor releases of Pax Logging 1.12.8 (OSGi R6) and 2.2.5 (OSGi R8).

The upgrades are:
  • Log4j2 2.21.0
  • Logback 1.3.11
And thanks to Wouter Born, pax-logging-log4j2 and pax-logging-logback source jars include source code of related Log4j2 / Logback libraries.

kind regards
Grzegorz Grzybek

Grzegorz Grzybek

unread,
Jan 9, 2024, 4:04:55 AM1/9/24
to OPS4J, ops4j-ann...@googlegroups.com, Karaf Dev
Hello

I'd like to announce minor releases of Pax Logging 1.12.10 (OSGi R6) and 2.2.7 (OSGi R8).

The single upgrade Logback 1.3.14.

The release notes can be found using the following links:

Grzegorz Grzybek

unread,
Jan 16, 2025, 6:25:53 AMJan 16
to Karaf Dev, OPS4J, ops4j-ann...@googlegroups.com
Hello

I'd like to announce minor releases of Pax Logging 1.12.11 (OSGi R6) and 2.2.8 (OSGi R8).

Logback was upgraded to 1.3.15.
Log4j2 was upgraded to 2.24.3 (with new plugin discovery mechanism).

The release notes can be found using the following links:

Grzegorz Grzybek

unread,
Mar 31, 2025, 3:49:14 AMMar 31
to Karaf Dev, OPS4J, ops4j-ann...@googlegroups.com
Hello

I'd like to announce new release of Pax Logging 2.3.0 and minor releases of existing branches: Pax Logging 1.12.12 (OSGi R6) and 2.2.9 (OSGi R8).

Pax Logging 2.3.0 is a new release with new version of Logback that requires at least JDK 11 (that's why new version line - 2.3.x).

Dependencies were upgraded to newest versions (Tomcat JULI, Reload4j, Commons Logging).

Additionally Pax Logging also exports JULI packages at version 10, 10.1 and 11 (for upcoming Pax Web 10).

There's one issue fixed where new JUL loggers didn't use OSGI configuration - thanks github.com/ffays for the report!

Main GH page contains updated compatibility table: https://github.com/ops4j/org.ops4j.pax.logging?tab=readme-ov-file#versions

The release notes can be found using the following links:

Grzegorz Grzybek

unread,
Jun 17, 2025, 12:44:30 PMJun 17
to Karaf Dev, ops4j-ann...@googlegroups.com, OPS4J
Hello

I'd like to announce new release of Pax URL 2.6.17 and 3.0.1.

These are micro releases:
  • Pax URL 2.6.17 fixes memory leak with LocalRepository instance (thanks Felix Marx for finding it!).
  • Pax URL 2.6.17 again should work with JDK8
  • Pax URL 3.0.1 brings back Maven dependency on org.slf4j:jcl-over-slf4j which was missing, so it broke some deployment scenarios
The release notes can be found using the following links:

Grzegorz Grzybek

unread,
Aug 28, 2025, 6:01:48 AM (12 days ago) Aug 28
to Karaf Dev, ops4j-ann...@googlegroups.com, OPS4J
Hello

I'd like to announce new releases of Pax Logging 2.3.1 (OSGi R8, JDK 11), Pax Logging 2.2.10 (OSGi R8, JDK 8) and Pax Logging 1.12.13 (OSGi R6, JDK 8).

There's just one upgrade - Log4j2 2.25.1, so we're back at the latest version.

Main GH page contains updated compatibility table: https://github.com/ops4j/org.ops4j.pax.logging?tab=readme-ov-file#versions

The release notes can be found using the following links:
Reply all
Reply to author
Forward
0 new messages