Hello Java Team, I have prepared an update of logback to 1.2.8, which addresses the same type of JNDI vulnerability recently announced for log4j2. Additional details in https://jira.qos.ch/browse/LOGBACK-1591 and https://github.com/qos-ch/logback/compare/v_1.2.7...v_1.2.8 A CVE has not yet been assigned, but it seems better to go ahead and upload the updated package and then associate the CVE with the fixed version in the archive once the CVE is assigned. That is, I would rather have code that addresses potential vulnerabilities sooner rather than later. Any concerns with an upload? Since it addresses a security concern, I am intending to set the urgency=high. I have kicked off a ratt build (133 reverse build dependencies) that is still underway, but everything has been successful so far. If there are any build failures, I can follow-up on them sooner. Thank you, tony
Attachment:
signature.asc
Description: PGP signature