[logback-user] Differences between logback 1.2.8 and 1.2.9

Arjohn Kampman arjohn.kampman at gmail.com
Fri Dec 17 10:00:28 CET 2021


First of all: thank you for looking into the vulnerabilities related to 
the log4j news. The announcement about the 1.2.9 release is a bit light 
on details in how it differs from the 1.2.8 release. I thought the 1.2.8 
disabled all the critical bits, which makes it safe to use again, but 
the news article indicates that any version prior to 1.2.9 (including 
1.2.8) is vulnerable. So does this mean that 1.2.9 fixes yet more 
security issues, or is this more about re-enabling some things that have 
been disabled in 1.2.8?


Arjohn Kampman

More information about the logback-user mailing list