[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-SUSE-SU-2026:0254-1":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T02:55:33.997Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":20,"modified_at":21,"state":9,"summary":22,"references_raw":24,"kevs":42,"epss":9,"epss_history":43,"metrics":44,"affected":45},"SUSE-SU-2026:0254-1","Security update for log4j\n\nThis update for log4j fixes the following issues:\n\nSecurity fixes:\n\n- CVE-2025-68161: Fixed absent TLS hostname verification\n      that may allow a man-in-the-middle attack (bsc#1255427)\n  \nOther fixes:\n\n- Upgrade to 2.18.0\n  * Added\n    + Add support for Jakarta Mail API in the SMTP appender.\n    + Add support for custom Log4j 1.x levels.\n    + Add support for adding and retrieving appenders in Log4j 1.x\n      bridge.\n    + Add support for custom LMAX disruptor WaitStrategy\n      configuration.\n    + Add support for Apache Extras' RollingFileAppender in Log4j\n      1.x bridge.\n    + Add MutableThreadContextMapFilter.\n    + Add support for 24 colors in highlighting\n  * Changed\n    + Improves ServiceLoader support on servlet containers.\n    + Make the default disruptor WaitStrategy used by Async Loggers\n      garbage-free.\n    + Do not throw UnsupportedOperationException when JUL\n      ApiLogger::setLevel is called.\n    + Support Spring 2.6.x.\n    + Move perf tests to log4j-core-its\n    + Upgrade the Flume Appender to Flume 1.10.0\n  * Fixed\n    + Fix minor typo #792.\n    + Improve validation and reporting of configuration errors.\n    + Allow enterprise id to be an OID fragment.\n    + Fix problem with non-uppercase custom levels.\n    + Avoid ClassCastException in JeroMqManager with custom\n      LoggerContextFactory #791.\n    + DirectWriteRolloverStrategy should use the current time when\n      creating files.\n    + Fixes the syslog appender in Log4j 1.x bridge, when used with\n      a custom layout.\n    + log4j-1.2-api 2.17.2 throws NullPointerException while\n      removing appender with name as null.\n    + Improve JsonTemplateLayout performance.\n    + Fix resolution of non-Log4j properties.\n    + Fixes Spring Boot logging system registration in a\n      multi-application environment.\n    + JAR file containing Log4j configuration isn’t closed.\n    + Properties defined in configuration using a value attribute\n      (as opposed to element) are read correctly.\n    + Syslog appender lacks the SocketOptions setting.\n    + Log4j 1.2 bridge should not wrap components unnecessarily.\n    + Update 3rd party dependencies for 2.18.0.\n    + SizeBasedTriggeringPolicy would fail to rename files properly\n      when integer pattern contained a leading zero.\n    + Fixes default SslConfiguration, when a custom keystore is\n      used.\n    + Fixes appender concurrency problems in Log4j 1.x bridge.\n    + Fix and test for race condition in FileUtils.mkdir().\n    + LocalizedMessage logs misleading errors on the console.\n    + Add missing message parameterization in RegexFilter.\n    + Add the missing context stack to JsonLayout template.\n    + HttpWatcher did not pass credentials when polling.\n    + UrlConnectionFactory.createConnection now accepts an\n      AuthorizationProvider as a parameter.\n    + The DirectWriteRolloverStrategy was not detecting the correct\n      index to use during startup.\n    + Async Loggers were including the location information by\n      default.\n    + ClassArbiter’s newBuilder method referenced the wrong class.\n    + Don’t use Paths.get() to avoid circular file systems.\n    + Fix parsing error, when XInclude is disabled.\n    + Fix LevelRangeFilterBuilder to align with log4j1’s behavior.\n    + Fixes problem with wrong ANSI escape code for bright colors\n    + Log4j 1.2 bridge should generate Log4j 2.x messages based on\n      the parameter runtime type.\n- Update to 2.19.0\n  * Added\n    + Add implementation of SLF4J2 fluent API.\n    + Add support for SLF4J2 stack-valued MDC.\n  * Changed\n    + Add getExplicitLevel method to LoggerConfig.\n    + Allow PropertySources to be added.\n    + Allow Plugins to be injected with the LoggerContext reference.\n  * Fixed\n    + Add correct manifest entries for OSGi to log4j-jcl\n    + Improve support for passwordless keystores.\n    + SystemPropertyArbiter was assigning the value as the name.\n    + Make JsonTemplateLayout stack trace truncation operate for\n      each label block.\n    + Fix recursion between Log4j 1.2 LogManager and Category.\n    + Fix resolution of properties not starting with log4j2..\n    + Logger$PrivateConfig.filter(Level, Marker, String) was\n      allocating empty varargs array.\n    + Allows a space separated list of style specifiers in the\n      %style pattern for consistency with %highlight.\n    + Fix NPE in log4j-to-jul in the case the root logger level is\n      null.\n    + Fix RollingRandomAccessFileAppender with\n      DirectWriteRolloverStrategy can’t create the first log file of\n      different directory.\n    + Generate new SSL certs for testing.\n    + Fix ServiceLoaderUtil behavior in the presence of a\n      SecurityManager.\n    + Fix regression in Rfc5424Layout default values.\n    + Harden InstantFormatter against delegate failures.\n    + Add async support to Log4jServletFilter.\n  * Removed\n    + Removed build page in favor of a single build instructions\n      file.\n    + Remove SLF4J 1.8.x binding.\n- Update to 2.20.0\n  * Added\n    + Add support for timezones in RollingFileAppender date pattern\n    + Add LogEvent timestamp to ProducerRecord in KafkaAppender\n    + Add PatternLayout support for abbreviating the name of all\n      logger components except the 2 rightmost\n    + Removes internal field that leaked into public API.\n    + Add a LogBuilder#logAndGet() method to emulate the\n      Logger#traceEntry method.\n  * Changed\n    + Simplify site generation\n    + Switch the issue tracker from JIRA to GitHub Issues\n    + Remove liquibase-log4j2 maven module\n    + Fix order of stacktrace elements, that causes cache misses in\n      ThrowableProxyHelper.\n    + Switch from com.sun.mail to Eclipse Angus.\n    + Add Log4j2 Core as default runtime dependency of the\n      SLF4J2-to-Log4j2 API bridge.\n    + Replace maven-changes-plugin with a custom changelog\n      implementation\n    + Moved log4j-api and log4j-core artifacts with classifier tests\n      to log4j-api-test and log4j-core-test respectively.\n  * Deprecated\n    + Deprecate support for package scanning for plugins\n  * Fixed\n    + Copy programmatically supplied location even if\n      includeLocation='false'.\n    + Eliminate status logger warning, when disableAnsi or\n      noConsoleNoAnsi is used the style and highlight patterns.\n    + Fix detection of location requirements in RewriteAppender.\n    + Replace regex with manual code to escape characters in\n      Rfc5424Layout.\n    + Fix java.sql.Time object formatting in MapMessage\n    + Fix previous fire time computation in CronTriggeringPolicy\n    + Correct default to not include location for AsyncRootLoggers\n    + Make StatusConsoleListener use SimpleLogger internally.\n    + Lazily evaluate the level of a SLF4J LogEventBuilder\n    + Fixes priority of Legacy system properties, which are now back\n      to having higher priority than Environment variables.\n    + Protects ServiceLoaderUtil from unchecked ServiceLoader\n      exceptions.\n    + Fix Configurator#setLevel for internal classes\n    + Fix level propagation in Log4jBridgeHandler\n    + Disable OsgiServiceLocator if not running in OSGI container.\n    + When using a Date Lookup in the file pattern the current time\n      should be used.\n    + Fixed LogBuilder filtering in the presence of global filters.\n",null,[],[],[],[14],{"_key":15},"CVE-2025-68161",[],[],[19],{"_key":15},"2026-01-22T16:08:26Z","2026-03-23T04:52:04.123472Z",{"cisa_kev":23,"cisa_ransomware":23,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[25,32,37],{"url":26,"sources":27,"tags":30},"https://www.suse.com/support/update/announcement/2026/suse-su-20260254-1/",[28,29],"osv_suse","osv_opensuse",[31],"Advisory",{"url":33,"sources":34,"tags":35},"https://bugzilla.suse.com/1255427",[28,29],[36],"REPORT",{"url":38,"sources":39,"tags":40},"https://www.suse.com/security/cve/CVE-2025-68161",[28,29],[41],"WEB",[],[],[],[46,59],{"ecosystem":47,"name":48,"vendor":49,"product":50,"cpe_part":9,"purl_type":51,"purl_namespace":49,"purl_name":50,"source":9,"versions":52},"openSUSE","log4j","opensuse","log4j&distro=openSUSE Leap 15.6","rpm",[53],{"version":54,"is_range":55,"range_type":56,"version_start":9,"version_start_type":9,"version_end":57,"version_end_type":58,"fixed_in":9},"lt2_20_0_150200_4_30_1",true,"ecosystem","2.20.0-150200.4.30.1","excluding",{"ecosystem":60,"name":48,"vendor":61,"product":62,"cpe_part":9,"purl_type":51,"purl_namespace":61,"purl_name":62,"source":9,"versions":63},"SUSE Linux Enterprise","suse","log4j&distro=SUSE Linux Enterprise Module for Basesystem 15 SP7",[64],{"version":54,"is_range":55,"range_type":56,"version_start":9,"version_start_type":9,"version_end":57,"version_end_type":58,"fixed_in":9}]