Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump logback to 1.3.15 #146

Closed
wants to merge 1 commit into from
Closed

Bump logback to 1.3.15 #146

wants to merge 1 commit into from

Conversation

yeikel
Copy link
Contributor

@yeikel yeikel commented Jan 12, 2025

Backport for #145

@yeikel yeikel mentioned this pull request Jan 12, 2025
Closed
@Hakky54
Copy link
Owner

Hakky54 commented Jan 12, 2025

It is not possible to backport this version of logback to logcaptor 1.7.x
It uses slf4j version 1.x and logback 1.3.x provides slf4j 2.x

You can run mvn dependency:tree to validate on your side

@Hakky54
Copy link
Owner

Hakky54 commented Jan 12, 2025

According to the CVE you mentioned GHSA-pr98-23f8-jwxv
Logback version 1.2.x is not affected, so no need for backport

@yeikel
Copy link
Contributor Author

yeikel commented Jan 13, 2025

You are right. Sorry for the confusion

@yeikel yeikel closed this Jan 13, 2025
@yeikel yeikel deleted the patch-2 branch January 13, 2025 15:12
@yeikel
Copy link
Contributor Author

yeikel commented Jan 13, 2025
edited
Loading

Actually, after looking at GHSA-pr98-23f8-jwxv again, it says that 1.2.x would be impacted as well

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

@Hakky54
Copy link
Owner

Hakky54 commented Jan 13, 2025

I think indeed that the issue is present in that specific version, but the old logback version 1.2.x is not maintained anymore. They have stated the following

On the 1.2.x series (UNMAINTAINED)
The 1.2.x series has been deprecated for several years and is no longer maintained. As such, use of the 1.2.x series is discouraged

So I can't do anything for logcaptor version 2.7.x I would recommend you to upgrade to logcaptor version 2.10.x which uses logback 1.3.x and it is also compatibel with version 1.4.x and 1.5.x

@yeikel
Copy link
Contributor Author

yeikel commented Jan 14, 2025

I think indeed that the issue is present in that specific version, but the old logback version 1.2.x is not maintained anymore. They have stated the following

On the 1.2.x series (UNMAINTAINED)
The 1.2.x series has been deprecated for several years and is no longer maintained. As such, use of the 1.2.x series is discouraged

So I can't do anything for logcaptor version 2.7.x I would recommend you to upgrade to logcaptor version 2.10.x which uses logback 1.3.x and it is also compatibel with version 1.4.x and 1.5.x

Unfortunately, my project is still using SLFJ 1.x

This is a dev dependency, so I'll have to live with the vulnerability for now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yeikel @Hakky54