Hi tony, Am Mittwoch, dem 15.12.2021 um 12:20 -0800 schrieb tony mancill: > Hello Java Team, > > I have prepared an update of logback to 1.2.8, which addresses the same > type of JNDI vulnerability recently announced for log4j2. > > Additional details in https://jira.qos.ch/browse/LOGBACK-1591 and > https://github.com/qos-ch/logback/compare/v_1.2.7...v_1.2.8 > > A CVE has not yet been assigned, but it seems better to go ahead and > upload the updated package and then associate the CVE with the fixed > version in the archive once the CVE is assigned. That is, I would > rather have code that addresses potential vulnerabilities sooner rather > than later. > > Any concerns with an upload? Since it addresses a security concern, I > am intending to set the urgency=high. I have kicked off a ratt build > (133 reverse build dependencies) that is still underway, but everything > has been successful so far. If there are any build failures, I can > follow-up on them sooner. Please go ahead. I agree that we should better be proactive for similar issues in logging libraries. I can prepare an update for stable and oldstable. A CVE assignment appears to be imminent. Regards, Markus
Attachment:
signature.asc
Description: This is a digitally signed message part