5.3.9.32-SNAPSHOT adds Log4j2 support, removing log4j1

Zackster · January 15, 2022, 2:05pm

Lucee 5.3.9.32-SNAPSHOT now uses log4j2 with log4j1 completely removed

Anyone using custom log appenders will need to update them to use log4j2, as we can’t be backwards compatible without including the old lib (which isn’t vulnerable, only unmaintained).

and yes, we will be updating to 2.17.1 before anyone asks…

The 5.3.9 sprint has a few remaining tickets before we release RC1, feel free to start testing

5.3.9 completed highlights so far include

Java 17 support [LDEV-3526] Update Felix to 6.0.5 to support Java >= 16 - Lucee
QoQ fixes https://luceeserver.atlassian.net/issues/?jql=status%20%3D%20QA%20AND%20labels%20%3D%20QofQ
static fixes https://luceeserver.atlassian.net/issues/?jql=labels%20%3D%20static%20AND%20Sprint%20%3D%2056%20ORDER%20BY%20updated%20DESC
cfhttp logging [LDEV-3810] add trace logging for cfhttp calls - Lucee
better decimal handling with json https://luceeserver.atlassian.net/issues/?jql=labels%20%3D%20numeric%20AND%20Sprint%20%3D%2056
performance improvements with arguments [LDEV-3520] Slow performance on arguments scope due to casting strings to Double - Lucee
better exception handling
configImport [LDEV-3790] add function ConfigImport - Lucee

See the sprint board to each ticket
https://luceeserver.atlassian.net/jira/software/c/projects/LDEV/boards/10?selectedIssue=LDEV-3801&sprint=56

Zackster · January 15, 2022, 2:05pm

thefalken · January 17, 2022, 9:24am

Happy new year @Zackster !

This is great news; removes a possible pain point from any future code audits

Zackster · January 17, 2022, 5:49pm

5.3.9.43-SNAPSHOT now uses 2.17.1, just waiting for maven to update before it can build

jclausen · January 21, 2022, 3:14am

@Zackster Looks like both the log4j 1.2.16 and 1.2.17 bundles are downloading when starting up a Lucee server, however. I’m assuming this is coming in as a dependency in one of the org.lucee bundles in MANIFEST.MF

I’m not sure where 1.2.16 is coming from.

If you remove the two 1.2.x jars from the bundles directory and clear the felix-cache directory, only 1.2.17 re-downloads to the bundles directory.

Zackster · January 21, 2022, 3:51pm

Please always state which exact version of Lucee!

1.2.16 is coming from the old Lucene search extension, you can see that via the Bundles in the admin

as 5.3.9 is in active development, always test with the latest snapshot

jclausen · January 21, 2022, 4:46pm

@Zackster 5.3.9.50-SNAPSHOT

cubortea · July 13, 2022, 9:37am

yesterday lucee.org was down, and my application cannot start because of this.
I get error:
ERROR: Failed to download the bundle [log4j:1.2.17]
from [http://release.lucee.org/rest/update/provider/download/log4j/1.2.17/?serverId=c25a2e22f6da9088aeeedf932120a75a&serverSecurityKey=aed6b5d8-0b75-4316-9db0-d9444f11a41f&allowRedirect=true&jv=11.0.15]

FYI, I use lucee 5.3.9.141 with docker-commandBox image jdk11-3.5.3