upgrade logback to 1.2.13 to address CVE-2023-6378

eclipse / tahu

Eclipse Tahu addresses the existence of legacy SCADA/DCS/ICS protocols and infrastructures and provides a much-needed definition of how best to apply MQTT into these existing industrial operational environments.

https://eclipse.org/tahu

Eclipse Public License 2.0

216 stars 123 forks source link

upgrade logback to 1.2.13 to address CVE-2023-6378 #351

Closed BobClaerhout closed 4 months ago

BobClaerhout commented 5 months ago

Logback has a HIGH vulnerability which can be addressed by upgrading to version 1.2.13: https://avd.aquasec.com/nvd/2023/cve-2023-6378/.

This PR addresses this vulnerability by bumping the logback version.

glennergeerts commented 4 months ago

Hi, is there an update on this please? This dependency is causing vulnerability scanners to alert for the CVE. Would be good if this can be updated in a next release.

glennergeerts commented 4 months ago

thanks for merging :+1:

I was wondering: what is the release strategy of Tahu? Do you aim for periodic releases or is this feature driven? When could we expect this change to be included in a new version?