[hibernate-commits] [hibernate/hibernate-orm] d26c44: HHH-20334 Fix invalid log4j config

Branch: refs/heads/7.3 Home: https://github.com/hibernate/hibernate-orm Commit: d26c44cebc2d6cc70deb889e72c3da792ce8ddfb https://github.com/hibernate/hibernate-orm/commit/d26c44cebc2d6cc70deb889... Author: Yoann Rodière <yoann(a)hibernate.org&gt; Date: 2026-04-13 (Mon, 13 Apr 2026) Changed paths: M hibernate-core/src/test/resources/log4j2.properties Log Message: ----------- HHH-20334 Fix invalid log4j config Log4j 2.25 is more strict with its checks. Fix extracted from https://github.com/hibernate/hibernate-orm/commit/6c3c1684d9147cfb06c5ad9... Commit: 0c4f489342df7663af2a4d2ad79c6c20f07f0a28 https://github.com/hibernate/hibernate-orm/commit/0c4f489342df7663af2a4d2... Author: Yoann Rodière <yoann(a)hibernate.org&gt; Date: 2026-04-13 (Mon, 13 Apr 2026) Changed paths: M settings.gradle Log Message: ----------- HHH-20334 Upgrade to Log4j 2.25.4 Technically we only: 1. Use it for testing 2. Have an API dependency in hibernate-testing, which provides some tools to work with log4j So the various CVEs are not really relevant: * https://logging.apache.org/security.html#CVE-2026-34478 * https://logging.apache.org/security.html#CVE-2026-34479 * https://logging.apache.org/security.html#CVE-2026-34481 Still, let’s avoid the noise related to automated tools reporting the problem. Compare: https://github.com/hibernate/hibernate-orm/compare/b76f37111ed0...0c4f489... To unsubscribe from these emails, change your notification settings at https://github.com/hibernate/hibernate-orm/settings/notifications