[logback-user] Differences between logback 1.2.8 and 1.2.9
Ceki Gülcü
ceki at qos.ch
Fri Dec 17 10:46:30 CET 2021
Hi again,
I should also say that while the threat characteristics between
log4shell and CVE-2021-42550 affecting logback are significantly
different, it is not our place to estimate each use case and deployment
configuration. As logback maintainers, we must assume the worst case.
Best regards,
--
Ceki Gülcü
Please contact suppport(at)qos.ch for donations, sponsorship or support
contracts related to SLF4J or logback projects.
On 17/12/2021 10:29, Arjohn Kampman wrote:
> Hi Ceki,
>
> I'm trying to assess if the update which has been sent to customers, and
> which includes 1.2.8, is safe to use, or if they will need another
> update. It's quite a bit of work to do this, so I would appreciate it a
> lot if you could give some more insight. Which risks remain if the
> customer stick to logback 1.28?
>
>
> On 17/12/2021 10:08, Ceki Gülcü wrote:
>>
>> Hi Arjohn,
>>
>> I would consider logback version 1.2.9 a security fix.
>>
More information about the logback-user
mailing list