Hello Java Team,
I have prepared an update of logback to 1.2.8, which addresses the same
type of JNDI vulnerability recently announced for log4j2.
Additional details in https://jira.qos.ch/browse/LOGBACK-1591 and https://github.com/qos-ch/logback/compare/v_1.2.7...v_1.2.8
A CVE has not yet been assigned, but it seems better to go ahead and
upload the updated package and then associate the CVE with the fixed
version in the archive once the CVE is assigned. That is, I would
rather have code that addresses potential vulnerabilities sooner rather
Any concerns with an upload? Since it addresses a security concern, I
am intending to set the urgency=high. I have kicked off a ratt build
(133 reverse build dependencies) that is still underway, but everything
has been successful so far. If there are any build failures, I can follow-up on them sooner.
|Location:||Huddersfield, West Yorkshire, UK|
|Nodes:||8 (1 / 7)|