Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to Logback 1.5.16 #43568

Closed
snicoll opened this issue Dec 19, 2024 · 8 comments
Closed

Upgrade to Logback 1.5.16 #43568

snicoll opened this issue Dec 19, 2024 · 8 comments
Assignees
@snicoll
Labels
type: dependency-upgrade A dependency upgrade
Milestone
3.3.8

Comments

@snicoll
Copy link
Member

snicoll commented Dec 19, 2024

Upgrade to Logback 1.5.13.
@snicoll snicoll added the type: dependency-upgrade A dependency upgrade label Dec 19, 2024
@snicoll snicoll added this to the 3.3.7 milestone Dec 19, 2024
@snicoll
Copy link
Member Author

snicoll commented Dec 19, 2024

Unfortunately this seems to have broken us, I've raised qos-ch/logback#885

@snicoll snicoll modified the milestones: 3.3.7, 3.3.x Dec 19, 2024
@snicoll snicoll added the status: blocked An issue that's blocked on an external project change label Dec 19, 2024
@snicoll snicoll mentioned this issue Dec 19, 2024
Closed
@edigu

This comment was marked as outdated.

Sign in to view
@snicoll snicoll changed the title Upgrade to Logback 1.5.13 Upgrade to Logback 1.5.14 Dec 20, 2024
@wilkinsona wilkinsona removed the status: blocked An issue that's blocked on an external project change label Dec 20, 2024
@lzysuqianqiu
Copy link

1.5.15 is out

@snicoll snicoll changed the title Upgrade to Logback 1.5.14 Upgrade to Logback 1.5.15 Dec 22, 2024
@ali-hamza-noor
Copy link

@snicoll can I raise a PR for this?

@philwebb
Copy link
Member

There's no need thanks @ali-hamza-noor, we have an automated process.

@nieqiurong nieqiurong mentioned this issue Dec 29, 2024
Closed
3 tasks
@xalvarez
Copy link

xalvarez commented Jan 2, 2025
edited
Loading

Hello, I wanted to bring to your attention that logback-core versions < 1.5.13 are affected by the following security vulnerabilities:

Could we expect a new version of Spring Boot that includes the patched logback-core dependency to be released soon?

@wilkinsona
Copy link
Member

The next round of Spring Boot releases is on 23 January. In the meantime, you can manually upgrade to a version of Logback that meets your needs using the logback.version property. You may also want to consider the likelihood of being affected by either vulnerability. Both appear to require an attacker to be able to set an environment variable or to modify a Logback configuration file. If either of those are possible, you likely have bigger problems.

@wilkinsona wilkinsona mentioned this issue Jan 3, 2025
Closed
@lzysuqianqiu
Copy link

1.5.16 is out

@wilkinsona wilkinsona changed the title Upgrade to Logback 1.5.15 Upgrade to Logback 1.5.16 Jan 6, 2025
@Budlee Budlee mentioned this issue Jan 6, 2025
Closed
@snicoll snicoll self-assigned this Jan 6, 2025
@snicoll snicoll modified the milestones: 3.3.x, 3.3.8 Jan 6, 2025
@snicoll snicoll mentioned this issue Jan 7, 2025
Closed
@snicoll snicoll closed this as completed in 9dea1e1 Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@snicoll snicoll

Labels
type: dependency-upgrade A dependency upgrade
Projects
None yet
Milestone
3.3.8
Development

No branches or pull requests
7 participants
@edigu @snicoll @philwebb @wilkinsona @lzysuqianqiu @xalvarez @ali-hamza-noor