JavaMoney / jsr354-api

JSR 354 - Money and Currency API
http://javamoney.org
Apache License 2.0
357 stars 79 forks source link

Fix potential logback security vulnerabilities #138

Closed McPringle closed 2 years ago

McPringle commented 2 years ago

CVE-2021-42550 In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.


This change is Reviewable

coveralls commented 2 years ago

Coverage Status

Coverage remained the same at 78.198% when pulling 772d799eee8ded0ca77504a21e173003f5e2fbd1 on McPringle:security/CVE-2021-42550 into 4707d4ee3cf39ff62c256a3ed7887b7b28c1a680 on JavaMoney:master.

McPringle commented 2 years ago

The error is not related to my change. Taking a look at the Travis log it looks like there is a problem installing the end of life Java version 9:

Downloading JDK from https://download.java.net/java/early_access/jdk19/3/GPL/openjdk-19-ea+3_linux-x64_bin.tar.gz
https://download.java.net/java/GA/jdk9/9.0.4/binaries/openjdk-9.0.4_linux-x64_bin.tar.gz...
Using custom target: /home/travis/openjdk9
gzip: stdin: decompression OK, trailing garbage ignored
tar: Child returned status 2
tar: Error is not recoverable: exiting now
The command "~/bin/install-jdk.sh --target "/home/travis/openjdk9" --workspace "/home/travis/.cache/install-jdk" --feature "9" --license "GPL" --cacerts" failed and exited with 2 during .
Your build has been stopped.

Exactly the same happens with my PR #137.

keilw commented 2 years ago

@McPringle Interesting, didn't know LogBack was also affected, but given it has the same roots as Log4J not so surprising. Thanks