Hello Java Team,

I have prepared an update of logback to 1.2.8, which addresses the same
type of JNDI vulnerability recently announced for log4j2.

Additional details in https://jira.qos.ch/browse/LOGBACK-1591 and https://github.com/qos-ch/logback/compare/v_1.2.7...v_1.2.8

A CVE has not yet been assigned, but it seems better to go ahead and
upload the updated package and then associate the CVE with the fixed
version in the archive once the CVE is assigned. That is, I would
rather have code that addresses potential vulnerabilities sooner rather
than later.

Any concerns with an upload? Since it addresses a security concern, I
am intending to set the urgency=high. I have kicked off a ratt build
(133 reverse build dependencies) that is still underway, but everything
has been successful so far. If there are any build failures, I can
follow-up on them sooner.

Thank you,
tony

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmG6ThsACgkQIdIFiZdL PpZfkw/8Dv80vTjONrPWCuDHgH8stmb/Vk7lfPd0qEzIt2hgO3oY3LDHbD4uQBJ8 5YT544yr7++pdDJFybUpcrtUCg1RYDpuH1OR9A1e+GEirZfPTKpUgpykEL9m7UDW 5uTgwSK4Iaz0vy4A4Eg4EcBAfWLTIkxICzZeYCUIXJBw1lFoLG2Q1UCl5TIgumAN drW7hzUZJQh6a3tdWjOTpUWN59RSjdvkRVMVVl03tqujovPzBXqbN1IzTzuUWFTQ 3002klvZC9411gIyDH/PgRyUptylqA0XEMepEgbv3NkxISs468BRb2sFgBzwhkZe YM0spF6FhhQ0tJAhKSCAsKT3AugMwMrvJ3w64UqDdQ6kj2WPivSF7B83N3ECE5o6 WT/tjCB++D4TsZ1RtPqElGevntPDEP8gTogEJQfPFnG0fDwfDF/Riti7QQFObQed +vrWeaY1+hZe+HcYGNilaSxAKMydTerpYtG1meeQ1T1ylBkQEwO+GDfbIDspYU5i HP+TWcR9TpWNj+/tDAviypq4Wp5LyBRMZy24jg/3ZIsxsvaV9AYi1j8ynP67xjjz vOJ0zeMAP422ZnhEWM6aM19Q75bcmxbEOJBeI/xevL4s7on7njRjDtH8fEASkgOo oLhfltl0rU5v0R9Na2miLrmAaOi+S8sHEcLn4PxYH2KQQuDNHps=
=TeJV
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi tony,

Am Mittwoch, dem 15.12.2021 um 12:20 -0800 schrieb tony mancill:

Hello Java Team,

I have prepared an update of logback to 1.2.8, which addresses the same
type of JNDI vulnerability recently announced for log4j2.

Additional details in https://jira.qos.ch/browse/LOGBACK-1591 and https://github.com/qos-ch/logback/compare/v_1.2.7...v_1.2.8

A CVE has not yet been assigned, but it seems better to go ahead and
upload the updated package and then associate the CVE with the fixed
version in the archive once the CVE is assigned.  That is, I would
rather have code that addresses potential vulnerabilities sooner rather
than later.

Any concerns with an upload?  Since it addresses a security concern, I
am intending to set the urgency=high.  I have kicked off a ratt build
(133 reverse build dependencies) that is still underway, but everything
has been successful so far.  If there are any build failures, I can follow-up on them sooner.

Please go ahead. I agree that we should better be proactive for similar issues in logging libraries. I can prepare an update for stable and oldstable. A CVE assignment appears to be imminent.

Regards,

Markus


-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG6UWtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeR2xA/+LjbaLq3PMGY94HkaJywk8n2l7AzpK5yrMqFuogSzEldlCMVqWa68g/07 UrX0KiNLVWgCrRsKcDSENVAlP3bgtjf3eCqCpu0Irnx32IdSRnbDvFEDT7v80K7l bEAIFdSLCx1gPlBK7p6Ppys30rC6o8CqBNa52rskoq1jxrASvTk27lEXHHMBZhOh VaxyRgsQ/QNlAPDGzbZofF0uMOXyUicA+vtKAkwxdP86/u0A3/tPsLH46yLV4myY g72iPy9ySaP6gaghou6F8ATcJLplTAxGIOM3Jyy/NcyX8S6MtbDek0bcrh6olNgn 1pZ4ZZX9qIL3Hb1fl2YwTonKn83tbbqXMqLeuXFZYvd9idUT7fe7ZzL21KYRRv8r O2lqFPhrFS4BgY/kRd1/DFrjN/F0VYKy744csu8cybskcl2JKoROOEL9yEhAbfZj cFlePBF/pY1Ud0Xy5jaz1MsWPEjcVW0yQZ/BOnDVcZadv7FSXaabNdEgwYRg/G0P LZ4V89wp8qcx20pAlGjuTDkM2Y75uLkOd+oOpI7P/z1p70D5xWgFeu3y0/3Vswwj DLCgy6sv7kKzU7l+5nzDd3zpw17S0zs6aeLJtdDPpcbMnwDbqUEdFDjnWhOo6o6s b3xACjuW8RRi4fe9oIuj3TB/Ny8b7okw5QyKf5lAIEURf2UbHgE=
=7jDE
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)