Pax logging 1.11.x with logback 1.2.9

ops4j / org.ops4j.pax.logging

The OSGi Logging framework implementation. Supports SLF4J,LOG4J,JCL etc.

https://ops4j1.jira.com/wiki/spaces/paxlogging/overview

Apache License 2.0

47 stars 79 forks source link

Pax logging 1.11.x with logback 1.2.9 #423

Closed yoannguion closed 2 years ago

yoannguion commented 2 years ago

Hello, I create this PR to include logback 1.2.9

This version fix the CVE-2021-42550 (aka LOGBACK-1591)

I know it is NOT the same security level as log4Shell, but i think this should be included too.

grgrzybek commented 2 years ago

pax-logging-logback shades ch/qos/logback/classic/spi/PackagingDataCalculator.java - I'll check the changes between 1.2.3 and 1.2.9

grgrzybek commented 2 years ago

thanks for the PR btw ;)

grgrzybek commented 2 years ago

git lg v_1.2.3..branch_1.2.x -- ./logback-classic/src/main/java/ch/qos/logback/classic/spi/PackagingDataCalculator.java shows no changes. I'm leaving the shaded class as-is.

grgrzybek commented 2 years ago

Actually, logback packages are NOT exported from pax-logging-logback. The only way to integrate is to create a bundle fragment. Like the org.ops4j.pax.logging:pax-logging-sample-fragment-logback example.