Update logback to 1.2.9 or higher

devonfw / devon4j

devonfw Java stack - create enterprise-grade business apps in Java safe and fast

Apache License 2.0

82 stars 88 forks source link

Update logback to 1.2.9 or higher #531

Closed hohwille closed 2 years ago

hohwille commented 2 years ago

Criticality:

low

cite from logback website:

We note that the vulnerability mentioned in CVE-2021-42550 requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell and CVE-2021-42550 are of different severity levels.

CVE-Link or steps to reproduce:

https://cve.report/CVE-2021-42550

hohwille commented 2 years ago

Update: We do not maintain logback version in our POMs/BOMs explicitly. It comes with spring-boot. Due to #550 this issue might already been resolved. In that case we can already close it. Otherwise we need to explicitly override the version in our POM.

sujith-mn commented 2 years ago

Yes.. https://github.com/devonfw/devon4j/pull/550 updated logback to 1.2.11. Hence closing this issue.