[slf4j-dev] [JIRA] Updates for SLF4J-455: Missing 1.8.0 stable build, no CVEs patches... beta-2 not complete...

QOS.CH (JIRA) noreply-jira at qos.ch
Thu Jan 13 21:22:00 CET 2022 

SLF4J / SLF4J-455 [Resolved]
Missing 1.8.0 stable build, no CVEs patches... beta-2 not complete...

==============================

Here's what changed in this issue in the last few minutes.

There are 2 comments.

View or comment on issue using this link
https://jira.qos.ch/browse/SLF4J-455

==============================
 2 comments
------------------------------

Neustradamus on 13/Jan/22 9:09 PM
@ceki: I know that 1.8-beta is now 2.0-alpha.

CVE-2018-8088 has been fixed in 1.7.26 and 1.8.0-beta4 after my requests by e-mail, JIRA, and Twitter.

But in the CVE-2018-8088 it is noted solved in 1.8.0-beta2 but it is NOT TRUE IT IS IN 1.8.0-beta4 and it has been solved in stable branch in 1.7.26, it is not specified:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088
- https://www.google.com/search?q=CVE-2018-8088

There is a problem in description of the CVE-2018-8088:
```
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
```

Time to request the update with reality the JIRA ticket number 455 and the CVE:
- 1.8.0-beta4
- 1.7.26

JIRA:
- https://jira.qos.ch/browse/SLF4J-455
- http://mailman.qos.ch/pipermail/slf4j-dev/2019-February/005118.html

Your tickets about CVE but it has been solved in 1.8.0-beta4: https://www.slf4j.org/news.html
There was not a 1.8.0-beta3!
- Currently it is specified 1.8.0-beta3: https://jira.qos.ch/browse/SLF4J-430
- Currently it is specified 1.8.0-beta2: https://jira.qos.ch/browse/SLF4J-431

Mail:
- http://mailman.qos.ch/pipermail/slf4j-user/2019-February/001700.html
- http://mailman.qos.ch/pipermail/slf4j-dev/2019-February/005115.html

Twitter:
- https://twitter.com/neustradamus/status/1095041579780374529
- https://twitter.com/neustradamus/status/1098724924607393794
- https://twitter.com/neustradamus/status/1098725012494635008
- https://twitter.com/neustradamus/status/1411324627582963722

------------------------------

Ceki Gülcü on 13/Jan/22 9:12 PM
The issue has been solved in all live branches. What do you want to be done at this time?



==============================
 This message was sent by Atlassian Jira (v8.8.0#808000-sha1:e2c7e59)

More information about the slf4j-dev mailing list