Closed newton-wi closed 1 month ago
LSC does not seem impacted
Reading the CVE it appears that we need to have features associated with Receivers to be implemented -> LSC doesn't use that feature in logback.
In addition the CVE requires us to upgrade to v1.3.12+
for both ch.qos.logback:logback-classic
and ch.qos.logback:logback-core
which has already been merged into the master branch therefore will be in v2.2
release.
https://github.com/lsc-project/lsc/blob/1e42009ff5524cb0c4b1704cbf60ec5f1b48091f/pom.xml#L728-L741
Hello,
current version 2.1.6 uses logback 1.2.3.
According to https://github.com/advisories/GHSA-vmq6-5m68-f53m this is affected from CVE-2023-6378.
Please consider updating this dependency and releasing a version containing the fixed version.
Thanks&Best Regards,
Michael