{"affected":[{"ecosystem_specific":{"binaries":[{"log4j":"2.20.0-150200.4.30.1","log4j-javadoc":"2.20.0-150200.4.30.1","log4j-jcl":"2.20.0-150200.4.30.1","log4j-slf4j":"2.20.0-150200.4.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15 SP7","name":"log4j","purl":"pkg:rpm/suse/log4j&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.20.0-150200.4.30.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"log4j":"2.20.0-150200.4.30.1","log4j-javadoc":"2.20.0-150200.4.30.1","log4j-jcl":"2.20.0-150200.4.30.1","log4j-slf4j":"2.20.0-150200.4.30.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"log4j","purl":"pkg:rpm/opensuse/log4j&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.20.0-150200.4.30.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for log4j fixes the following issues:\n\nSecurity fixes:\n\n- CVE-2025-68161: Fixed absent TLS hostname verification\n      that may allow a man-in-the-middle attack (bsc#1255427)\n  \nOther fixes:\n\n- Upgrade to 2.18.0\n  * Added\n    + Add support for Jakarta Mail API in the SMTP appender.\n    + Add support for custom Log4j 1.x levels.\n    + Add support for adding and retrieving appenders in Log4j 1.x\n      bridge.\n    + Add support for custom LMAX disruptor WaitStrategy\n      configuration.\n    + Add support for Apache Extras' RollingFileAppender in Log4j\n      1.x bridge.\n    + Add MutableThreadContextMapFilter.\n    + Add support for 24 colors in highlighting\n  * Changed\n    + Improves ServiceLoader support on servlet containers.\n    + Make the default disruptor WaitStrategy used by Async Loggers\n      garbage-free.\n    + Do not throw UnsupportedOperationException when JUL\n      ApiLogger::setLevel is called.\n    + Support Spring 2.6.x.\n    + Move perf tests to log4j-core-its\n    + Upgrade the Flume Appender to Flume 1.10.0\n  * Fixed\n    + Fix minor typo #792.\n    + Improve validation and reporting of configuration errors.\n    + Allow enterprise id to be an OID fragment.\n    + Fix problem with non-uppercase custom levels.\n    + Avoid ClassCastException in JeroMqManager with custom\n      LoggerContextFactory #791.\n    + DirectWriteRolloverStrategy should use the current time when\n      creating files.\n    + Fixes the syslog appender in Log4j 1.x bridge, when used with\n      a custom layout.\n    + log4j-1.2-api 2.17.2 throws NullPointerException while\n      removing appender with name as null.\n    + Improve JsonTemplateLayout performance.\n    + Fix resolution of non-Log4j properties.\n    + Fixes Spring Boot logging system registration in a\n      multi-application environment.\n    + JAR file containing Log4j configuration isn’t closed.\n    + Properties defined in configuration using a value attribute\n      (as opposed to element) are read correctly.\n    + Syslog appender lacks the SocketOptions setting.\n    + Log4j 1.2 bridge should not wrap components unnecessarily.\n    + Update 3rd party dependencies for 2.18.0.\n    + SizeBasedTriggeringPolicy would fail to rename files properly\n      when integer pattern contained a leading zero.\n    + Fixes default SslConfiguration, when a custom keystore is\n      used.\n    + Fixes appender concurrency problems in Log4j 1.x bridge.\n    + Fix and test for race condition in FileUtils.mkdir().\n    + LocalizedMessage logs misleading errors on the console.\n    + Add missing message parameterization in RegexFilter.\n    + Add the missing context stack to JsonLayout template.\n    + HttpWatcher did not pass credentials when polling.\n    + UrlConnectionFactory.createConnection now accepts an\n      AuthorizationProvider as a parameter.\n    + The DirectWriteRolloverStrategy was not detecting the correct\n      index to use during startup.\n    + Async Loggers were including the location information by\n      default.\n    + ClassArbiter’s newBuilder method referenced the wrong class.\n    + Don’t use Paths.get() to avoid circular file systems.\n    + Fix parsing error, when XInclude is disabled.\n    + Fix LevelRangeFilterBuilder to align with log4j1’s behavior.\n    + Fixes problem with wrong ANSI escape code for bright colors\n    + Log4j 1.2 bridge should generate Log4j 2.x messages based on\n      the parameter runtime type.\n- Update to 2.19.0\n  * Added\n    + Add implementation of SLF4J2 fluent API.\n    + Add support for SLF4J2 stack-valued MDC.\n  * Changed\n    + Add getExplicitLevel method to LoggerConfig.\n    + Allow PropertySources to be added.\n    + Allow Plugins to be injected with the LoggerContext reference.\n  * Fixed\n    + Add correct manifest entries for OSGi to log4j-jcl\n    + Improve support for passwordless keystores.\n    + SystemPropertyArbiter was assigning the value as the name.\n    + Make JsonTemplateLayout stack trace truncation operate for\n      each label block.\n    + Fix recursion between Log4j 1.2 LogManager and Category.\n    + Fix resolution of properties not starting with log4j2..\n    + Logger$PrivateConfig.filter(Level, Marker, String) was\n      allocating empty varargs array.\n    + Allows a space separated list of style specifiers in the\n      %style pattern for consistency with %highlight.\n    + Fix NPE in log4j-to-jul in the case the root logger level is\n      null.\n    + Fix RollingRandomAccessFileAppender with\n      DirectWriteRolloverStrategy can’t create the first log file of\n      different directory.\n    + Generate new SSL certs for testing.\n    + Fix ServiceLoaderUtil behavior in the presence of a\n      SecurityManager.\n    + Fix regression in Rfc5424Layout default values.\n    + Harden InstantFormatter against delegate failures.\n    + Add async support to Log4jServletFilter.\n  * Removed\n    + Removed build page in favor of a single build instructions\n      file.\n    + Remove SLF4J 1.8.x binding.\n- Update to 2.20.0\n  * Added\n    + Add support for timezones in RollingFileAppender date pattern\n    + Add LogEvent timestamp to ProducerRecord in KafkaAppender\n    + Add PatternLayout support for abbreviating the name of all\n      logger components except the 2 rightmost\n    + Removes internal field that leaked into public API.\n    + Add a LogBuilder#logAndGet() method to emulate the\n      Logger#traceEntry method.\n  * Changed\n    + Simplify site generation\n    + Switch the issue tracker from JIRA to GitHub Issues\n    + Remove liquibase-log4j2 maven module\n    + Fix order of stacktrace elements, that causes cache misses in\n      ThrowableProxyHelper.\n    + Switch from com.sun.mail to Eclipse Angus.\n    + Add Log4j2 Core as default runtime dependency of the\n      SLF4J2-to-Log4j2 API bridge.\n    + Replace maven-changes-plugin with a custom changelog\n      implementation\n    + Moved log4j-api and log4j-core artifacts with classifier tests\n      to log4j-api-test and log4j-core-test respectively.\n  * Deprecated\n    + Deprecate support for package scanning for plugins\n  * Fixed\n    + Copy programmatically supplied location even if\n      includeLocation='false'.\n    + Eliminate status logger warning, when disableAnsi or\n      noConsoleNoAnsi is used the style and highlight patterns.\n    + Fix detection of location requirements in RewriteAppender.\n    + Replace regex with manual code to escape characters in\n      Rfc5424Layout.\n    + Fix java.sql.Time object formatting in MapMessage\n    + Fix previous fire time computation in CronTriggeringPolicy\n    + Correct default to not include location for AsyncRootLoggers\n    + Make StatusConsoleListener use SimpleLogger internally.\n    + Lazily evaluate the level of a SLF4J LogEventBuilder\n    + Fixes priority of Legacy system properties, which are now back\n      to having higher priority than Environment variables.\n    + Protects ServiceLoaderUtil from unchecked ServiceLoader\n      exceptions.\n    + Fix Configurator#setLevel for internal classes\n    + Fix level propagation in Log4jBridgeHandler\n    + Disable OsgiServiceLocator if not running in OSGI container.\n    + When using a Date Lookup in the file pattern the current time\n      should be used.\n    + Fixed LogBuilder filtering in the presence of global filters.\n","id":"SUSE-SU-2026:0254-1","modified":"2026-01-22T16:08:26Z","published":"2026-01-22T16:08:26Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2026/suse-su-20260254-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1255427"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-68161"}],"related":["CVE-2025-68161"],"summary":"Security update for log4j","upstream":["CVE-2025-68161"]}