From 71e706a644ad7a84db169a4bdb1775a3f1e4450d Mon Sep 17 00:00:00 2001 From: Simon Kitching Date: Sun, 19 Nov 2006 09:17:43 +0000 Subject: [PATCH] General updates git-svn-id: https://svn.apache.org/repos/asf/jakarta/commons/proper/logging/trunk@476777 13f79535-47bb-0310-9956-ffa450edef68 --- RELEASE-NOTES.txt | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt index 2fecf4a..e408a34 100644 --- a/RELEASE-NOTES.txt +++ b/RELEASE-NOTES.txt @@ -58,7 +58,9 @@ behaviour. In earlier releases, this method did not use an AccessController when obtaining the context classloader. In version 1.1 it did. In this release, it has reverted to not using an AccessController; any user-level code that needs to obtain a context classloader should itself create an AccessController, and call the -LogFactory.getContextClassLoader method via the doPrivileged method. +LogFactory.getContextClassLoader method via the doPrivileged method. This fixes a +potential security issue, where untrusted code could get access to the context +classloader if a signed JCL library was in the classpath. == Dependencies == @@ -85,12 +87,13 @@ File commons-logging-api-nn.jar provides minimal adapters to external logging libraries, just the internally implemented SimpleLog and NoOpLog classes plus Jdk14Logger (which is currently required by Apache Tomcat). -This jar file may be used as a declared dependency for projects that care about -"transitive dependencies" and can't handle jar files such as commons-logging-nn.jar -which have "optional" dependencies depending on how they are used. In addition, -this jar file can be useful for "rebundlers" of JCL who recompile the source-code -but who may not be able to recompile against the full set of supported adapters; -such projects should be able to at least recreate an equivalent of this jar file. +The file commons-logging-api-nn.jar may be used as a declared dependency for +projects that care about "transitive dependencies" and can't handle jar files +such as commons-logging-nn.jar which have "optional" dependencies depending on +how they are used. In addition, this jar file can be useful for "rebundlers" of +JCL who recompile the source-code but who may not be able to recompile against +the full set of supported adapters; such projects should be able to at least +recreate an equivalent of this jar file. == General Notes == @@ -108,19 +111,37 @@ Software Foundation licensing rules. The terms and conditions are unaltered; this merely affects how those are presented in the source files. See http://www.apache.org/legal/src-headers.html +This release can be built/tested with maven 2.0.4. Maven 1.x and Ant continue +to be supported. + == Bugs Fixed == * LOGGING-106: JCL 1.1 was completely unusable under a security policy that prevented access to system properties. Even signing/authorising the JCL library was not sufficient. This has been fixed by (a) catching SecurityException and falling back to a sensible default, and (b) using AccessController so JCL can be granted - privileges without needing the caller to have them too. + privileges without needing the caller to have them too. * LOGGING-107: JCL 1.1 auto-discovery failed under a security policy that prevented calls to ClassLoader.getParent. Signing/authorising the JCL library was not sufficient as an AccessController was not used. This has been fixed by catching SecurityException and using an AccessController. +* MEV-392 (http://jira.codehaus.org/browse/MEV-392) + As JCL didn't provide a Maven2 pom.xml file, one was helpfully created by people + not involved with the commons-logging project and published to the standard maven + repositories. Unfortunately this pom declared normal dependencies on all the logging + libraries that are supported by the core JCL distribution, meaning they all get pulled + into a project that declares a dependency on JCL1.1. This release now provides an + "official" pom.xml which declares these dependencies as optional so they aren't + automatically included in projects that depend on JCL 1.1.1. + +* (no bug#): Fix thread-safety bug (SimpleDateFormat.format is not thread-safe). + Thanks to Martin Wilson of bright-interactive for the bug report. + +* (no bug#): Security issue regarding access to context classloader (see incompatibilities + section above). + DEPRECATIONS: ============