GP-0 Updated WhatsNew and ChangeHistory for 10.1 release

Author: ghidra1

Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.html

@@ -32,6 +32,7 @@ <H1 align="center">Ghidra 10.1 Change History (December 2021)</H1>
     <li><I>API</I>. Updated API methods of the DataTypeChooserDialog. (GP-1349, Issue #3140)</li>
     <li><I>Basic Infrastructure</I>. Symbol performance in Ghidra was significantly improved. Specifically, new database indexes were created to improve finding primary symbols as well as improving lookups by combinations of name, namespace, and address. (GP-1082)</li>
     <li><I>Basic Infrastructure</I>. Added optional columns in the Functions table for several boolean-valued function attributes. (GP-1393)</li>
+    <li><I>Basic Infrastructure</I>. Upgraded log4j dependency from 2.12.1 to 2.15.0 to resolve a security vulnerability. (GP-1588)</li>
     <li><I>Build</I>. Extension builds can now declare jar dependencies from standard Gradle repositories such as Maven Central. (GP-1144, Issue #2219, #2226)</li>
     <li><I>Build</I>. Increased minimum supported Gradle version from 6.0 to 6.4. (GP-1521, Issue #3650)</li>
     <li><I>Data Types</I>. Added support for zero-element arrays and zero-length components within structures and unions.  Eliminated flex-array API methods and added/improved other Structure methods to handle multiple components which share the same offset. (GP-943)</li>

Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html

@@ -46,6 +46,41 @@ <H1>What's new in Ghidra 10.1</H1>
 
     <H2>The not-so-fine print: Please Read!</H2>
 
+	<P><span style="color:#FF0000">WARNING:</span> There has been a published CVE security vulnerability noted in Ghidra dependencies within two log4j jar files.
+    We strongly encourage anyone using previous versions of Ghidra or a build from source, to remediate this issue by either upgrading
+    to the latest Ghidra 10.1 version, or patching your current version.</P>
+    
+    <P>
+	To patch your current Ghidra installation, delete:
+	<BLOCKQUOTE><UL>
+    <li>Ghidra/Framework/Generic/lib/log4j-api-2.12.1.jar</li>
+    <li>Ghidra/Framework/Generic/lib/log4j-core-2.12.1.jar</li>
+    </UL></BLOCKQUOTE>
+    </P>
+    
+    <P>
+	and replace with the newer log4j 2.15.0 version:
+	<BLOCKQUOTE><UL>
+    <li>log4j-api-2.15.0.jar</li>
+    <li>log4j-core-2.15.0.jar</li>
+    </UL></BLOCKQUOTE>
+    </P>
+    
+    <P>
+	You can find these in the latest Ghidra 10.1 release, or from:
+	<BLOCKQUOTE><UL>
+    <li>https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.15.0/log4j-api-2.15.0.jar</li>
+    <li>https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/log4j-core-2.15.0.jar</li>
+    </UL></BLOCKQUOTE>
+    </P>
+    
+    <P>
+    The details of the vulnerability can be found here:
+	<BLOCKQUOTE><UL>
+    <li>https://nvd.nist.gov/vuln/detail/CVE-2021-44228</li>
+    </UL></BLOCKQUOTE>
+    </P>
+    
 	<P>Ghidra 10.1 is fully backward compatible with project data from previous releases. However, programs and data type archives
 	which are created or modified in 10.1 will not be useable by an earlier Ghidra version.</P>