Merge branch 'critical/JAL-3933_log4shell_mitigation' into releases/Release_2_11_1_Branch

diff --git a/THIRDPARTYLIBS b/THIRDPARTYLIBS
index fa922d9..6ec98d9 100644 (file)
--- a/THIRDPARTYLIBS
+++ b/THIRDPARTYLIBS
@@ -29,7 +29,7 @@ httpclient-4.0.3.jar
 httpcore-4.0.1.jar
 httpmime-4.0.3.jar
 intervalstore-v1.0.jar
-jabaws-min-client-2.2.0.jar
+jabaws-min-client-NO_LOG4J-2.2.0.jar   Apache license
 java-json.jar
 jaxrpc.jar
 jersey-client-1.19.4.jar       CDDL 1.1 + GPL2 w/ CPE - http://glassfish.java.net/public/CDDL+GPL_1_1.html
@@ -49,15 +49,18 @@ jsr311-api-1.1.1.jar
 jswingreader-0.3.jar   Apache license - built from http://jswingreader.sourceforge.net/ svn/trunk v12
 libquaqua64-8.0.jnilib.jar     quaqua: v.8.0 (latest stable) by Randel S Hofer. LGPL and BSD Modified license: downloaded from http://www.randelshofer.ch/quaqua/ 
 libquaqua-8.0.jnilib.jar       quaqua: v.8.0 (latest stable) by Randel S Hofer. LGPL and BSD Modified license: downloaded from http://www.randelshofer.ch/quaqua/ 
-log4j-1.2.8.jar
+log4j-1.2-api-2.16.0.jar       Apache license version 2.0
+log4j-api-2.16.0.jar   Apache license version 2.0
+log4j-core-2.16.0.jar  Apache license version 2.0
+log4j-slf4j18-impl-2.16.0.jar  Apache license version 2.0
 mail.jar
 miglayout-4.0-swing.jar        BSD - http://www.migcalendar.com/miglayout/versions/4.0/license.txt
 quaqua-filechooser-only-8.0.jar        quaqua: v.8.0 (latest stable) by Randel S Hofer. LGPL and BSD Modified license: downloaded from http://www.randelshofer.ch/quaqua/ 
 regex.jar
 saaj.jar
 servlet-api-3.1.jar
-slf4j-api-1.7.7.jar
-slf4j-log4j12-1.7.7.jar
+slf4j-api-1.7.32.jar   MIT license - https://opensource.org/licenses/mit-license.php
+slf4j-log4j12-1.7.32.jar       MIT license - https://opensource.org/licenses/mit-license.php
 vamsas-client.jar
 VAqua5-patch.jar       This is a patched version of VAqua v5 (latest stable) by Alan Snyder et al. GPLv3 with Classpath exception, also includes contributions from Quaqua: http://violetlib.org/vaqua/overview.html - see doc/patching-vaqua.txt for patch details, and http://issues.jalview.org/browse/JAL-2988 for details of the bug that the patch addresses.
 VARNAv3-93.jar GPL licenced software by K�vin Darty, Alain Denise and Yann Ponty - http://varna.lri.fr
@@ -111,12 +114,9 @@ javax.xml.soap-api.jar     CDDL + GPLv2 with classpath exception - https://github.co
 jaxb-api-2.3.1.jar     CDDL 1.1 + GPL2 w/ CPE - https://oss.oracle.com/licenses/CDDL+GPL-1.1
 jaxb-runtime-2.3.2.jar Eclipse Distribution License - v 1.0 - http://www.eclipse.org/org/documents/edl-v10.php
 jaxws-api-2.3.1.jar    CDDL + GPLv2 with classpath exception - https://github.com/javaee/jax-ws-spec/blob/master/LICENSE.md
-Jmol-14.6.4_2016.10.26-no_netscape.jar GPL/LGPLv2 http://sourceforge.net/projects/jmol/files/
 jsr311-api-1.1.1.jar   CDDL License - http://www.opensource.org/licenses/cddl1.php
 mimepull-1.9.11.jar    Eclipse Distribution License - v 1.0 - http://www.eclipse.org/org/documents/edl-v10.php
 policy-2.7.6.jar       Eclipse Distribution License - v 1.0 - http://www.eclipse.org/org/documents/edl-v10.php
-slf4j-api-1.7.26.jar   MIT License - https://opensource.org/licenses/mit-license.php
-slf4j-log4j12-1.7.26.jar       MIT License - https://opensource.org/licenses/mit-license.php
 stax-ex-1.8.1.jar      Eclipse Distribution License - v 1.0 - http://www.eclipse.org/org/documents/edl-v10.php
 stax2-api-4.2.jar      The BSD License - http://www.opensource.org/licenses/bsd-license.php
 streambuffer-1.5.7.jar Eclipse Distribution License - v 1.0 - http://www.eclipse.org/org/documents/edl-v10.php

diff --git a/j11lib/jabaws-min-client-2.2.0.jar b/j11lib/jabaws-min-client-2.2.0.jar
deleted file mode 100644 (file)
index 37426c3..0000000
Binary files a/j11lib/jabaws-min-client-2.2.0.jar and /dev/null differ

diff --git a/j11lib/jabaws-min-client-NO_LOG4J-2.2.0.jar b/j11lib/jabaws-min-client-NO_LOG4J-2.2.0.jar
new file mode 100644 (file)
index 0000000..3838eeb
Binary files /dev/null and b/j11lib/jabaws-min-client-NO_LOG4J-2.2.0.jar differ

diff --git a/j11lib/log4j-1.2-api-2.16.0.jar b/j11lib/log4j-1.2-api-2.16.0.jar
new file mode 100644 (file)
index 0000000..6bfe217
Binary files /dev/null and b/j11lib/log4j-1.2-api-2.16.0.jar differ

diff --git a/j11lib/log4j-api-2.16.0.jar b/j11lib/log4j-api-2.16.0.jar
new file mode 100644 (file)
index 0000000..2cdcc4b
Binary files /dev/null and b/j11lib/log4j-api-2.16.0.jar differ

diff --git a/j11lib/log4j-core-2.16.0.jar b/j11lib/log4j-core-2.16.0.jar
new file mode 100644 (file)
index 0000000..bc913bc
Binary files /dev/null and b/j11lib/log4j-core-2.16.0.jar differ

diff --git a/j11lib/log4j-slf4j18-impl-2.16.0.jar b/j11lib/log4j-slf4j18-impl-2.16.0.jar
new file mode 100644 (file)
index 0000000..ad6dd5b
Binary files /dev/null and b/j11lib/log4j-slf4j18-impl-2.16.0.jar differ

diff --git a/j11lib/log4j-to-slf4j-2.0-rc2.jar b/j11lib/log4j-to-slf4j-2.0-rc2.jar
deleted file mode 100644 (file)
index 4bbf54a..0000000
Binary files a/j11lib/log4j-to-slf4j-2.0-rc2.jar and /dev/null differ

diff --git a/j11lib/slf4j-api-1.7.26.jar b/j11lib/slf4j-api-1.7.26.jar
deleted file mode 100644 (file)
index d2f27ac..0000000
Binary files a/j11lib/slf4j-api-1.7.26.jar and /dev/null differ

diff --git a/j11lib/slf4j-api-1.7.32.jar b/j11lib/slf4j-api-1.7.32.jar
new file mode 100644 (file)
index 0000000..b16a078
Binary files /dev/null and b/j11lib/slf4j-api-1.7.32.jar differ

diff --git a/j11lib/slf4j-log4j12-1.7.26.jar b/j11lib/slf4j-log4j12-1.7.32.jar
similarity index 75%
rename from j11lib/slf4j-log4j12-1.7.26.jar
rename to j11lib/slf4j-log4j12-1.7.32.jar
index aed1195..4b0e8b7 100644 (file)
Binary files a/j11lib/slf4j-log4j12-1.7.26.jar and b/j11lib/slf4j-log4j12-1.7.32.jar differ

diff --git a/j8lib/jabaws-min-client-2.2.0.jar b/j8lib/jabaws-min-client-2.2.0.jar
deleted file mode 100644 (file)
index 37426c3..0000000
Binary files a/j8lib/jabaws-min-client-2.2.0.jar and /dev/null differ

diff --git a/j8lib/jabaws-min-client-NO_LOG4J-2.2.0.jar b/j8lib/jabaws-min-client-NO_LOG4J-2.2.0.jar
new file mode 100644 (file)
index 0000000..3838eeb
Binary files /dev/null and b/j8lib/jabaws-min-client-NO_LOG4J-2.2.0.jar differ

diff --git a/j8lib/log4j-1.2-api-2.16.0.jar b/j8lib/log4j-1.2-api-2.16.0.jar
new file mode 100644 (file)
index 0000000..6bfe217
Binary files /dev/null and b/j8lib/log4j-1.2-api-2.16.0.jar differ

diff --git a/j8lib/log4j-api-2.16.0.jar b/j8lib/log4j-api-2.16.0.jar
new file mode 100644 (file)
index 0000000..2cdcc4b
Binary files /dev/null and b/j8lib/log4j-api-2.16.0.jar differ

diff --git a/j8lib/log4j-core-2.16.0.jar b/j8lib/log4j-core-2.16.0.jar
new file mode 100644 (file)
index 0000000..bc913bc
Binary files /dev/null and b/j8lib/log4j-core-2.16.0.jar differ

diff --git a/j8lib/log4j-slf4j18-impl-2.16.0.jar b/j8lib/log4j-slf4j18-impl-2.16.0.jar
new file mode 100644 (file)
index 0000000..ad6dd5b
Binary files /dev/null and b/j8lib/log4j-slf4j18-impl-2.16.0.jar differ

diff --git a/j8lib/log4j-to-slf4j-2.0-rc2.jar b/j8lib/log4j-to-slf4j-2.0-rc2.jar
deleted file mode 100644 (file)
index 4bbf54a..0000000
Binary files a/j8lib/log4j-to-slf4j-2.0-rc2.jar and /dev/null differ

diff --git a/j8lib/slf4j-api-1.7.32.jar b/j8lib/slf4j-api-1.7.32.jar
new file mode 100644 (file)
index 0000000..b16a078
Binary files /dev/null and b/j8lib/slf4j-api-1.7.32.jar differ

diff --git a/j8lib/slf4j-api-1.7.7.jar b/j8lib/slf4j-api-1.7.7.jar
deleted file mode 100644 (file)
index b28e220..0000000
Binary files a/j8lib/slf4j-api-1.7.7.jar and /dev/null differ

diff --git a/j8lib/slf4j-log4j12-1.7.32.jar b/j8lib/slf4j-log4j12-1.7.32.jar
new file mode 100644 (file)
index 0000000..4b0e8b7
Binary files /dev/null and b/j8lib/slf4j-log4j12-1.7.32.jar differ

diff --git a/j8lib/slf4j-log4j12-1.7.7.jar b/j8lib/slf4j-log4j12-1.7.7.jar
deleted file mode 100644 (file)
index 12c804e..0000000
Binary files a/j8lib/slf4j-log4j12-1.7.7.jar and /dev/null differ

diff --git a/src/jalview/bin/Cache.java b/src/jalview/bin/Cache.java
index 579b490..d2c234d 100755 (executable)
--- a/src/jalview/bin/Cache.java
+++ b/src/jalview/bin/Cache.java
@@ -47,6 +47,12 @@ import org.apache.log4j.ConsoleAppender;
 import org.apache.log4j.Level;
 import org.apache.log4j.Logger;
 import org.apache.log4j.SimpleLayout;
+import org.apache.log4j.builders.appender.ConsoleAppenderBuilder;
+import org.apache.logging.log4j.core.config.Configurator;
+import org.apache.logging.log4j.core.config.builder.api.AppenderComponentBuilder;
+import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilder;
+import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory;
+import org.apache.logging.log4j.core.config.builder.impl.BuiltConfiguration;
 
 import jalview.datamodel.PDBEntry;
 import jalview.gui.UserDefinedColours;
@@ -303,23 +309,16 @@ public class Cache
     {
       // TODO: redirect stdout and stderr here in order to grab the output of
       // the log
-
-      ConsoleAppender ap = new ConsoleAppender(new SimpleLayout(),
-              "System.err");
-      ap.setName("JalviewLogger");
-      org.apache.log4j.Logger.getRootLogger().addAppender(ap); // catch all for
+      ConfigurationBuilder<BuiltConfiguration> builder = ConfigurationBuilderFactory.newConfigurationBuilder();
+      AppenderComponentBuilder consoleApp = builder.newAppender("stderr", "Console");
+      builder.add(consoleApp);
+      Configurator.initialize(builder.build());
       // log output
       Logger laxis = Logger.getLogger("org.apache.axis");
-      Logger lcastor = Logger.getLogger("org.exolab.castor");
       jalview.bin.Cache.log = Logger.getLogger("jalview.bin.Jalview");
 
       laxis.setLevel(Level.toLevel(
               Cache.getDefault("logs.Axis.Level", Level.INFO.toString())));
-      lcastor.setLevel(Level.toLevel(Cache.getDefault("logs.Castor.Level",
-              Level.INFO.toString())));
-      lcastor = Logger.getLogger("org.exolab.castor.xml");
-      lcastor.setLevel(Level.toLevel(Cache.getDefault("logs.Castor.Level",
-              Level.INFO.toString())));
       // lcastor = Logger.getLogger("org.exolab.castor.xml.Marshaller");
       // lcastor.setLevel(Level.toLevel(Cache.getDefault("logs.Castor.Level",
       // Level.INFO.toString())));