Skip to content

Terminator2307/PatchFixingAssessmentSolutionRepo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
build-logs
build-logs
 
 
.gitignore
.gitignore
 
 
PATCH.md
PATCH.md
 
 
README.md
README.md
 
 
RESULTS.md
RESULTS.md
 
 
log4j-patch.patch
log4j-patch.patch
 
 
patched-source.bundle
patched-source.bundle
 
 

Repository files navigation

Log4j 2.15.0 — Backport of LOG4J2-3211

Backports commit 27972043b76c9645476f561c5adc483dec6d3f5d ("LOG4J2-3211 — Remove Message Lookups") from apache/logging-log4j2 onto the rel/2.15.0 tag.

LOG4J2-3211 is one of the two changes Apache shipped in 2.16.0 to close out CVE-2021-45046. It strips the message-lookup code path out of MessagePatternConverter. The other half (LOG4J2-3208 — "disable JNDI by default") is not in scope here; the assessment specifies only commit 27972043.

What's in this repo

  • PATCH.md — patch identity, conflicts, resolution
  • RESULTS.md — build/test results across four levels
  • log4j-patch.patch — the upstream commit as a unified diff
  • patched-source.bundlegit bundle of the patched working tree (branch assessment/2.15.0-cve-fix). Restore with git clone patched-source.bundle logging-log4j2.
  • build-logs/ — raw mvn output for each phase

Reproduce

Tested on macOS (arm64), OpenJDK 11.0.30, Maven 3.9.11.

git clone https://github.com/apache/logging-log4j2.git
cd logging-log4j2
git checkout -b verify rel/2.15.0
git fetch origin 27972043b76c9645476f561c5adc483dec6d3f5d
git cherry-pick 27972043b76c9645476f561c5adc483dec6d3f5d

# Two non-code conflicts (changes.xml, layouts.xml.vm) — take the patch's side:
git checkout --theirs src/changes/changes.xml src/site/xdoc/manual/layouts.xml.vm
git add -A && git -c user.name=You -c user.email=you@x cherry-pick --continue --no-edit

mvn -pl log4j-api,log4j-core -am clean install -DskipTests \
    -Drat.skip -Dpmd.skip -Dcheckstyle.skip -Dspotbugs.skip \
    -Denforcer.skip -Danimal.sniffer.skip -Dmaven.javadoc.skip

You'll also need a ~/.m2/toolchains.xml defining JDK 9 / JDK 11 toolchains for the multi-release-jar sub-modules — see RESULTS.md.

Result

Patch applies cleanly (only doc-file conflicts), builds, and 990 of 1010 tests across log4j-api and log4j-core pass. None of the 20 non-passes are caused by the patch — they're all artefacts of running a Dec-2021 codebase on a Jan-2026 JDK build (TLS defaults, removed sun.reflect.* internals, macOS mmap behaviour). Per-failure breakdown in RESULTS.md.

Disclosure: I used Claude (Anthropic) to help draft the documentation files in this repo. The technical work — applying the patch, building, and running the tests — was performed locally on my machine; test counts and failure classifications come from the actual logs in build-logs/.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors