Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #12335
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Newsgroups | linux.debian.maint.java |
| Subject | Re: update of logback to 1.28 |
| Date | 2021-12-15 21:40 +0100 |
| Message-ID | <DuJeb-3gn-19@gated-at.bofh.it> (permalink) |
| References | <DuJ4t-3dh-1@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
[Multipart message — attachments visible in raw view] - view raw
Hi tony, Am Mittwoch, dem 15.12.2021 um 12:20 -0800 schrieb tony mancill: > Hello Java Team, > > I have prepared an update of logback to 1.2.8, which addresses the same > type of JNDI vulnerability recently announced for log4j2. > > Additional details in https://jira.qos.ch/browse/LOGBACK-1591 and > https://github.com/qos-ch/logback/compare/v_1.2.7...v_1.2.8 > > A CVE has not yet been assigned, but it seems better to go ahead and > upload the updated package and then associate the CVE with the fixed > version in the archive once the CVE is assigned. That is, I would > rather have code that addresses potential vulnerabilities sooner rather > than later. > > Any concerns with an upload? Since it addresses a security concern, I > am intending to set the urgency=high. I have kicked off a ratt build > (133 reverse build dependencies) that is still underway, but everything > has been successful so far. If there are any build failures, I can > follow-up on them sooner. Please go ahead. I agree that we should better be proactive for similar issues in logging libraries. I can prepare an update for stable and oldstable. A CVE assignment appears to be imminent. Regards, Markus
Back to linux.debian.maint.java | Previous | Next — Previous in thread | Find similar
update of logback to 1.28 tony mancill <tmancill@debian.org> - 2021-12-15 21:30 +0100 Re: update of logback to 1.28 Markus Koschany <apo@debian.org> - 2021-12-15 21:40 +0100
csiph-web