Path: csiph.com!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!bofh.it!news.nic.it!robomod From: Markus Koschany Newsgroups: linux.debian.maint.java Subject: Re: update of logback to 1.28 Date: Wed, 15 Dec 2021 21:40:03 +0100 Message-ID: References: X-Original-To: debian-java@lists.debian.org X-Mailbox-Line: From debian-java-request@lists.debian.org Wed Dec 15 20:35:08 2021 Old-Return-Path: X-Amavis-Spam-Status: No, score=-10.263 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DIGITS_LETTERS=1, FOURLA=0.1, LDO_WHITELIST=-5, PGPSIGNATURE=-5, SARE_MSGID_LONG40=0.637] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -4.6 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-wSkq2sBbHLTOscIuo0AP" MIME-Version: 1.0 Authentication-Results: ORIGINATING; auth=pass smtp.auth=apo@gambaru.de smtp.mailfrom=apo@debian.org X-Mailing-List: archive/latest/22966 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/47c1fc576b63e49a71afb854501c972744ded644.camel@debian.org Approved: robomod@news.nic.it Lines: 66 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Wed, 15 Dec 2021 21:34:51 +0100 X-Original-Message-ID: <47c1fc576b63e49a71afb854501c972744ded644.camel@debian.org> X-Original-References: <20211215202043.u6hwn67zhqmu6gzf@lark> Xref: csiph.com linux.debian.maint.java:12335 --=-wSkq2sBbHLTOscIuo0AP Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi tony, Am Mittwoch, dem 15.12.2021 um 12:20 -0800 schrieb tony mancill: > Hello Java Team, >=20 > I have prepared an update of logback to 1.2.8, which addresses the same > type of JNDI vulnerability recently announced for log4j2. >=20 > Additional details in https://jira.qos.ch/browse/LOGBACK-1591=C2=A0and > https://github.com/qos-ch/logback/compare/v_1.2.7...v_1.2.8 >=20 > A CVE has not yet been assigned, but it seems better to go ahead and > upload the updated package and then associate the CVE with the fixed > version in the archive once the CVE is assigned.=C2=A0 That is, I would > rather have code that addresses potential vulnerabilities sooner rather > than later. >=20 > Any concerns with an upload?=C2=A0 Since it addresses a security concern,= I > am intending to set the urgency=3Dhigh.=C2=A0 I have kicked off a ratt bu= ild > (133 reverse build dependencies) that is still underway, but everything > has been successful so far.=C2=A0 If there are any build failures, I can > follow-up on them sooner. Please go ahead. I agree that we should better be proactive for similar iss= ues in logging libraries. I can prepare an update for stable and oldstable. A C= VE assignment appears to be imminent. Regards, Markus --=-wSkq2sBbHLTOscIuo0AP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG6UWtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeR2xA/+LjbaLq3PMGY94HkaJywk8n2l7AzpK5yrMqFuogSzEldlCMVqWa68g/07 UrX0KiNLVWgCrRsKcDSENVAlP3bgtjf3eCqCpu0Irnx32IdSRnbDvFEDT7v80K7l bEAIFdSLCx1gPlBK7p6Ppys30rC6o8CqBNa52rskoq1jxrASvTk27lEXHHMBZhOh VaxyRgsQ/QNlAPDGzbZofF0uMOXyUicA+vtKAkwxdP86/u0A3/tPsLH46yLV4myY g72iPy9ySaP6gaghou6F8ATcJLplTAxGIOM3Jyy/NcyX8S6MtbDek0bcrh6olNgn 1pZ4ZZX9qIL3Hb1fl2YwTonKn83tbbqXMqLeuXFZYvd9idUT7fe7ZzL21KYRRv8r O2lqFPhrFS4BgY/kRd1/DFrjN/F0VYKy744csu8cybskcl2JKoROOEL9yEhAbfZj cFlePBF/pY1Ud0Xy5jaz1MsWPEjcVW0yQZ/BOnDVcZadv7FSXaabNdEgwYRg/G0P LZ4V89wp8qcx20pAlGjuTDkM2Y75uLkOd+oOpI7P/z1p70D5xWgFeu3y0/3Vswwj DLCgy6sv7kKzU7l+5nzDd3zpw17S0zs6aeLJtdDPpcbMnwDbqUEdFDjnWhOo6o6s b3xACjuW8RRi4fe9oIuj3TB/Ny8b7okw5QyKf5lAIEURf2UbHgE= =7jDE -----END PGP SIGNATURE----- --=-wSkq2sBbHLTOscIuo0AP--