`logback-test.xml` in the Main Avro resources folder can cause runtime issues for applications

[kyle-silver]

Because this test logback file (located here) is in the main directory, it gets packaged and deployed as part of the release artifact. I have some apps running with Spring Boot 2.7.x and Logback and have observed that this test configuration file is getting picked up by Logback and causing the app to fail on startup due to a (perceived) misconfiguration. I believe this can be remediated by moving logback-test.xml to the avro/test/resources directory.

---

I am happy to open a pull request with this change myself but wanted to file an issue first and hear feedback from the maintainers. I am a huge fan of the work you do on this library

[cowtowncoder]

Sounds like a flaw, unintended so PR (against 2.14 branch so I can merge forward) would be most welcome. Thank you for reporting this and bonus points for asking before PR!

[kyle-silver]

Absolutely. One question, though—since that file doesn't exist on the 2.14 branch, will this need a separate commit on the 2.15 branch to remove it once the test file is added?

[cowtowncoder]

Oh ok then just do that for 2.15 branch. I haven't had a chance to check (traveling this week).

[techabstraction]

Hope you don't mind me raising this PR with reaching out first. Just trying to help out, as we're also experiencing our apps failing on start up.

[cowtowncoder]

@techabstraction Not all, thanks for PR! I wish I had remembered to wait for this before 2.15.1 release, but it'll be in 2.15.2.

[techabstraction]

Thanks @cowtowncoder . Any idea when we can expect 2.15.2? 2.14.3 has a high priority CVE so isn't safe to use.

PRISMA-2023-0067

Priority: High

com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS). The package does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended and leads to Uncontrolled Resource Consumption ('Resource Exhaustion').

[cowtowncoder]

@techabstraction Normally it'd take a while between patches, but "fortunately" there are multiple jar/build issues that are problematic with 2.15.1; as well as one Record-related bug for which I personally need a new version :)

Which is to say I'll probably try to get 2.15.2 released within a week or so.

[techabstraction]

Hi @cowtowncoder . Just checking in, any update on when 2.15.2 will be released?

[cowtowncoder]

This week, today or tomorrow I hope.

EDIT: was released on 2023-05-30.

[SuvaAndiBill]

Hi, just to let you know: Also with spring-boot 3.x.x the app fails to start with version 2.15.1. With version 2.15.2 it's ok again. Thx for your work.

[cowtowncoder]

Thank you for verifying @SuvaAndiBill -- too bad this file was included but good things work again.