Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12334

update of logback to 1.28

From tony mancill <tmancill@debian.org>
Newsgroups linux.debian.maint.java
Subject update of logback to 1.28
Date 2021-12-15 21:30 +0100
Message-ID <DuJ4t-3dh-1@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hello Java Team,

I have prepared an update of logback to 1.2.8, which addresses the same
type of JNDI vulnerability recently announced for log4j2.

Additional details in https://jira.qos.ch/browse/LOGBACK-1591 and
https://github.com/qos-ch/logback/compare/v_1.2.7...v_1.2.8

A CVE has not yet been assigned, but it seems better to go ahead and
upload the updated package and then associate the CVE with the fixed
version in the archive once the CVE is assigned.  That is, I would
rather have code that addresses potential vulnerabilities sooner rather
than later.

Any concerns with an upload?  Since it addresses a security concern, I
am intending to set the urgency=high.  I have kicked off a ratt build
(133 reverse build dependencies) that is still underway, but everything
has been successful so far.  If there are any build failures, I can
follow-up on them sooner.

Thank you,
tony

Back to linux.debian.maint.java | Previous | NextNext in thread | Find similar

Thread

update of logback to 1.28 tony mancill <tmancill@debian.org> - 2021-12-15 21:30 +0100
  Re: update of logback to 1.28 Markus Koschany <apo@debian.org> - 2021-12-15 21:40 +0100

csiph-web