#29034 Update dependency org.apache.logging.log4j:log4j-core to v2.25.3 [SECURITY]

enhancement

major

#27376

TLScript function "sessionRevision()"

minor

#28746

Tree grid with transient objects records selection with TransientTLObjectNaming

#28985

Update fasterxml to version 2.19.2

defect

critical

#29012

Replace dependency org.lz4:lz4-java with at.yawk.lz4:lz4-java [SECURITY] CVE-2025-12183, CVE-2025-66566

major

#28357

Do not include IDEResources by default

#28932

Deleted object access in the WebFolder

#28959

Drop into an empty table not possible

#29018

Prevent the creation of duplicate back references

#29040

Endless loop when exporting HTML attributes to Excel

minor

#27287

TL-Script add() returns error with set reference if value already contained

#28150

Long items in the Multi DropDown lead to selection problems

#28285

Strings sometimes have the wrong color in the TLScript editor

#28681

Error when displaying external "objects" in the form editor

#28699

Missing images in TL-Script description texts

#28921

Prevent Goto to FormOverlay's

#28928

In multi-select selection field, option cannot be deselected if not currently included in options

#28956

Client-side errors in "afterRendering" are swallowed up

#29003

Migration: Renaming references with legacy enums fails

#29035

Log display crashes with corrupt log files

update

critical

#29008

Update dependency org.mozilla:rhino to v1.7.14.1 [SECURITY]

#29034

Update dependency org.apache.logging.log4j:log4j-core to v2.25.3 [SECURITY]

update

critical

#29034

Update dependency org.apache.logging.log4j:log4j-core to v2.25.3 [SECURITY]

SecurityIssue Update

This PR contains the following updates:

Package	Type	Update Type	Change
---	---	---	---
org.apache.logging.log4j:log4j-core (source)	compile	minor	2.20.0 → 2.25.3

---

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Apache Log4j does not verify the TLS hostname in its Socket Appender

GHSA-vc5p-v9hr-52mj

Details

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true.

This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:

The attacker is able to intercept or redirect network traffic between the client and the log receiver.
The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender's configured trust store (or by the default Java trust store if no custom trust store is configured).

Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.

As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Severity

CVSS Score: 6.3 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---