We are pleased to announce the release of Java tracker 0.11.0.
Regarding the “log4shell” exploit:
The Java tracker uses slf4j for logging. Depending on user configuration, slf4j can work via log4j, and therefore potentially be at risk for the log4j CVE-2021-44228 vulnerability. Because of this, we have removed all production logging of user-supplied values for Java tracker v0.11.0. User-supplied values are now only logged at DEBUG level.
Other features for 0.11.0 include finer control over Emitter thread creation, and names for threads for easier debugging. These changes are thanks to a contribution from @AcidFlow. Another community member, @b-ryan, also provided code to make logging more infomative. Thanks both! As always, we love hearing from our users. Please feel free to comment or contribute! Finally, we added a method for setting the session_id event property.
CHANGELOG
New features:
Set Emitter’s threads name for easier debugging (#280) (Thanks @AcidFlow)
Allow Emitter to use a custom ExecutorService (#278) (Thanks @AcidFlow)
Manually set the session_id (#265)
Specify the key for ‘null or empty value detected’ payload log (#277) (Thanks @b-ryan)
Bug fixes:
Remove logging of user supplied values (#286)
Under the hood:
Update Deploy action to remove Bintray (#283)
Update all copyright notices (#279)
Remove Mockito and Wiremock dependencies (#275)
Update dependencies guava, wiremock, and httpclient (#269)
Update gradle GH Action to include Java 17 (#273)
Remove HttpHeaders dependency in OkHttpClientAdapter (#266)
Replace Vagrant with Docker (#267)
Java tracker 0.11.0 is available from Maven Central, or GitHub.
The project’s source code can be found here. There are no breaking API changes in this version.