Changes for release

log4j-distribution/pom.xml

@@ -523,11 +523,35 @@
                 </fileSet>
               </fileSets>
               <csvSummary>false</csvSummary>
-              <appendFilename>true</appendFilename>
             </configuration>
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <artifactId>maven-antrun-plugin</artifactId>
+        <version>3.0.0</version>
+        <executions>
+          <execution>
+            <phase>post-integration-test</phase>
+            <configuration>
+              <target>
+                <property name="spaces" value="  "/>
+                <concat destfile="${project.build.directory}/apache-log4j-${project.version}-src.zip.sha256" append="yes">${spaces}apache-log4j-${project.version}-src.zip</concat>
+                <concat destfile="${project.build.directory}/apache-log4j-${project.version}-src.zip.sha512" append="yes">${spaces}apache-log4j-${project.version}-src.zip</concat>
+                <concat destfile="${project.build.directory}/apache-log4j-${project.version}-src.tar.gz.sha256" append="yes">${spaces}apache-log4j-${project.version}-src.tar.gz</concat>
+                <concat destfile="${project.build.directory}/apache-log4j-${project.version}-src.tar.gz.sha512" append="yes">${spaces}apache-log4j-${project.version}-src.tar.gz</concat>
+                <concat destfile="${project.build.directory}/apache-log4j-${project.version}-bin.zip.sha256" append="yes">${spaces}apache-log4j-${project.version}-bin.zip</concat>
+                <concat destfile="${project.build.directory}/apache-log4j-${project.version}-bin.zip.sha512" append="yes">${spaces}apache-log4j-${project.version}-bin.zip</concat>
+                <concat destfile="${project.build.directory}/apache-log4j-${project.version}-bin.tar.gz.sha256" append="yes">${spaces}apache-log4j-${project.version}-bin.tar.gz</concat>
+                <concat destfile="${project.build.directory}/apache-log4j-${project.version}-bin.tar.gz.sha512" append="yes">${spaces}apache-log4j-${project.version}-bin.tar.gz</concat>
+              </target>
+            </configuration>
+            <goals>
+              <goal>run</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-gpg-plugin</artifactId>

pom.xml

@@ -220,12 +220,12 @@
   <properties>
     <!-- make sure to update these for each release! -->
     <log4jParentDir>${basedir}</log4jParentDir>
-    <Log4jReleaseVersion>2.17.1</Log4jReleaseVersion>
+    <Log4jReleaseVersion>2.17.2</Log4jReleaseVersion>
     <Log4jReleaseVersionJava7>2.12.4</Log4jReleaseVersionJava7>
     <Log4jReleaseVersionJava6>2.3.2</Log4jReleaseVersionJava6>
-    <Log4jReleaseManager>Matt Sicker</Log4jReleaseManager>
-    <Log4jReleaseKey>D7C92B70FA1C814D</Log4jReleaseKey>
-    <Log4jSigningUserName>mattsicker@apache.org</Log4jSigningUserName>
+    <Log4jReleaseManager>Ralph Goers</Log4jReleaseManager>
+    <Log4jReleaseKey>B3D8E1BA</Log4jReleaseKey>
+    <Log4jSigningUserName>rgoers@apache.org</Log4jSigningUserName>
     <!-- note that any properties you want available in velocity templates must not use periods! -->
     <slf4jVersion>1.7.35</slf4jVersion>
     <logbackVersion>1.2.3</logbackVersion>

src/changes/announcement.vm

@@ -67,8 +67,16 @@ The artifacts may be downloaded from https://logging.apache.org/log4j/2.x/downlo
 
 This release contains the changes noted below:
 
-* Address CVE-2021-44832.
-* Other minor fixes.
+* Over 50 improvements and fixes to the Log4j 1.x support. Continued testing has shown it is a suitable replacement
+for Log4j 1.x in most cases.
+* Scripting now requires a system property be specified naming the languages the user wishes to allow. The scripting
+engine will not load if the property isn't set.
+* By default, the only remote protocol allowed for loading configuration files is HTTPS. Users can specify a system
+property to allow others or prevent remote loading entirely.
+* Variable resolution has been modified so that only properties defined as properties in the configuration file can be
+recursive. All other Lookups are now non-recursive. This addresses issues users were having resolving lookups specified
+in property definitions for use in the RoutingAppender and RollingFileAppender due to restrictions put in place in 2.17.1.
+* Many other fixes and improvements.
 
 Due to a break in compatibility in the SLF4J binding, Log4j now ships with two versions of the SLF4J to Log4j adapters.
 log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl should be used with SLF4J 1.8.x and
@@ -118,8 +126,8 @@ $h3 Removed
 ---
 
 Apache Log4j ${relVersion} requires a minimum of Java 8 to build and run.
-Log4j 2.12.3 is the last release to support Java 7.
-Log4j 2.3.1 is the last release to support Java 6.
+Log4j 2.12.4 is the last release to support Java 7.
+Log4j 2.3.2 is the last release to support Java 6.
 Java 6 and Java 7 are no longer supported by the Log4j team.
 
 For complete information on ${project.name}, including instructions on how to submit bug

src/site/markdown/index.md.vm

@@ -163,16 +163,24 @@ dependencies.
 
 $h2 News
 
-Log4j 2.17.1has been released to:
-
-* Address CVE-2021-44832.
-* Other minor bug fixes.
-
-2.17.1 (for Java 8) is a recommended upgrade.
-
-Log4j $Log4jReleaseVersion is now available for production. The API for Log4j 2 is not compatible with Log4j 1.x, however an adapter is
-available to allow applications to continue to use the Log4j 1.x API. Adapters are also available for Apache Commons
-Logging, SLF4J, and java.util.logging.
+Log4j 2.17.2 has been released to:
+
+* Over 50 improvements and fixes to the Log4j 1.x support. Continued testing has shown it is a suitable replacement
+for Log4j 1.x in most cases.
+* Scripting now requires a system property be specified naming the languages the user wishes to allow. The scripting
+engine will not load if the property isn't set.
+* By default, the only remote protocol allowed for loading configuration files is HTTPS. Users can specify a system
+property to allow others or prevent remote loading entirely.
+* Variable resolution has been modified so that only properties defined as properties in the configuration file can be
+recursive. All other Lookups are now non-recursive. This addresses issues users were having resolving lookups specified
+in property definitions for use in the RoutingAppender and RollingFileAppender due to restrictions put in place in 2.17.1.
+* Many other fixes and improvements.
+
+2.17.2 (for Java 8) is a recommended upgrade.
+
+Log4j $Log4jReleaseVersion is now available for production. While the normal API for Log4j 2 is not compatible with
+Log4j 1.x, an adapter is available to allow applications to continue to use the Log4j 1.x API and configuration files.
+Adapters are also available for Apache Commons Logging, SLF4J, and java.util.logging.
 
 Log4j $Log4jReleaseVersion is the latest release of Log4j. As of Log4j 2.13.0 Log4j 2 requires Java 8 or greater at
 runtime. This release contains new features and fixes which can be found

src/site/xdoc/manual/configuration.xml.vm

@@ -965,6 +965,7 @@ Configuration:
               definition in the rolling file appender below. You then define each of the subcomponents below that
               wrapper element, as the TimeBasedTriggeringPolicy and SizeBasedTriggeringPolicy are defined below.
             </p>
+            <p>
               As of version 2.17.2,
               <tt>rootLogger</tt> and <tt>logger.<var>key</var></tt> properties can be specified to set the
               level and zero or more appender refs to create for that logger. The level and appender refs are