[logback-user] Differences between logback 1.2.8 and 1.2.9

Ceki Gülcü ceki at qos.ch
Fri Dec 17 10:46:30 CET 2021

Hi again,

I should also say that while the threat characteristics between 
log4shell and CVE-2021-42550 affecting logback are significantly 
different, it is not our place to estimate each use case and deployment 
configuration. As logback maintainers, we must assume the worst case.

Best regards,
Ceki Gülcü

Please contact suppport(at)qos.ch for donations, sponsorship or support 
contracts related to SLF4J or logback projects.

On 17/12/2021 10:29, Arjohn Kampman wrote:
> Hi Ceki,
> I'm trying to assess if the update which has been sent to customers, and 
> which includes 1.2.8, is safe to use, or if they will need another 
> update. It's quite a bit of work to do this, so I would appreciate it a 
> lot if you could give some more insight. Which risks remain if the 
> customer stick to logback 1.28?
> On 17/12/2021 10:08, Ceki Gülcü wrote:
>> Hi Arjohn,
>> I would consider logback version 1.2.9 a security fix.

More information about the logback-user mailing list