upgrade logback to 1.3.12 to resolve CVE-2023-6481 and CVE-2023-6378

kagkarlsson / db-scheduler

Persistent cluster-friendly scheduler for Java

Apache License 2.0

1.23k stars 189 forks source link

upgrade logback to 1.3.12 to resolve CVE-2023-6481 and CVE-2023-6378 #542

Open ZacBranson opened 1 day ago

ZacBranson commented 1 day ago

Expected Behavior

The project should have no CVEs, but there are two related to logback 1.2.12.

Current Behavior

MVN Repository reports two CVEs for the current release. Specifically, CVE-2023-6481 CVE-2023-6378.

These are both related to the logback dependency. Currently, db-scheduler use logback 1.2.12. There is a patch release, 1.2.13, that addressed both CVEs.

Context

DB-Scheduler Version : 14.1.0
Java Version :
Spring Boot (check for Yes) : [ ]
Database and Version :

Logs

ZacBranson commented 1 day ago

I'd be happy to submit a PR for this if the suggestion is accepted.

kagkarlsson commented 1 day ago

Please do 👍😊