Accepting request 940932 from Java:packages

Security fix bsc#1193795

OBS-URL: https://build.opensuse.org/request/show/940932
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/logback?expand=0&rev=3

_service

@@ -2,8 +2,8 @@
 	<service name="tar_scm" mode="disabled">
 		<param name="scm">git</param>
 		<param name="url">https://github.com/qos-ch/logback.git</param>
-		<param name="revision">v_1.2.3</param>
-		<param name="versionformat">1.2.3</param>
+		<param name="revision">v_1.2.8</param>
+		<param name="versionformat">1.2.8</param>
 		<param name="filename">logback</param>
 		<param name="exclude">logback-access/lib</param>
 	</service>

logback-1.2.3.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cca5db1d05143817b767e6f5d5f34f1990ff19da8d80f6cdc0c8b14da6ef0e70
-size 2986604

logback-1.2.8-jetty.patch

@@ -1,32 +1,21 @@
-diff --git a/logback-access/pom.xml b/logback-access/pom.xml
-index ab1319b00..f16d17814 100755
---- a/logback-access/pom.xml
-+++ b/logback-access/pom.xml
-@@ -45,6 +45,12 @@
-       <scope>compile</scope>
+--- logback-1.2.8/logback-access/pom.xml	2021-12-14 12:55:51.000000000 +0100
++++ logback-1.2.8/logback-access/pom.xml	2021-12-16 15:35:11.255651389 +0100
+@@ -47,6 +47,12 @@
        <optional>true</optional>
      </dependency>
-+    <dependency>
+     <dependency>
 +      <groupId>org.eclipse.jetty</groupId>
 +      <artifactId>jetty-util</artifactId>
 +      <scope>compile</scope>
 +      <optional>true</optional>
 +    </dependency>
-     <dependency>
++    <dependency>
        <groupId>org.codehaus.janino</groupId>
        <artifactId>janino</artifactId>
-@@ -173,4 +179,4 @@
-     </profile>
-   </profiles>
- 
--</project>
-\ No newline at end of file
-+</project>
-diff --git a/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java b/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java
-index bb11766d9..77ca796bb 100644
---- a/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java
-+++ b/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java
-@@ -209,11 +209,6 @@ public class RequestLogImpl extends ContextBase implements RequestLog, AppenderA
+       <scope>compile</scope>
+--- logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java	2021-12-14 12:55:51.000000000 +0100
++++ logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java	2021-12-16 15:35:11.255651389 +0100
+@@ -209,11 +209,6 @@
          started = false;
      }
  
@@ -38,7 +27,7 @@ index bb11766d9..77ca796bb 100644
      public void setFileName(String fileName) {
          this.fileName = fileName;
      }
-@@ -227,26 +222,6 @@ public class RequestLogImpl extends ContextBase implements RequestLog, AppenderA
+@@ -227,26 +222,6 @@
          return started;
      }
  
@@ -65,7 +54,7 @@ index bb11766d9..77ca796bb 100644
      public boolean isQuiet() {
          return quiet;
      }
-@@ -310,13 +285,7 @@ public class RequestLogImpl extends ContextBase implements RequestLog, AppenderA
+@@ -310,13 +285,7 @@
          return fai.getFilterChainDecision(event);
      }
  

logback-1.2.8.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e8e9455e20c8709cc6cf4099a2ff288500255e50e884e05419c992b516b395cf
+size 2976640

logback.changes

@@ -1,13 +1,61 @@
+-------------------------------------------------------------------
+Thu Dec 16 16:21:39 UTC 2021 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 1.2.8 (bsc#1193795)
+  * Changes of version 1.2.8
+    + In response to LOGBACK-1591, all JNDI lookup code in logback
+	  has been disabled until further notice. This impacts
+      ContextJNDISelector and <insertFromJNDI> element in
+      configuration files.
+    + Also in response to LOGBACK-1591, all database (JDBC) related
+	  code in the project has been removed with no replacement.
+    + Note that the vulnerability mentioned in LOGBACK-1591 requires
+      write access to logback's configuration file as a
+      prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591
+      are of different severity levels. A successful RCE requires
+      all of the following conditions to be met:
+      - write access to logback.xml
+      - use of versions < 1.2.8
+      - reloading of poisoned configuration data, which implies
+        application restart or scan="true" set prior to attack
+    + As an additional extra precaution, in addition to upgrading to
+      logback version 1.2.8, the users are advised to set their
+      logback configuration files as read-only.
+  * Changes of version 1.2.7
+    + Added hostnameVerification to property SSLSocketAppender.
+      This fixes LOGBACK-1574.
+  * Changes of version 1.2.6
+    + To prevent XML eXternal Entity injection (XXE) attacks, Joran
+      no longer reads external entities passed in XML files. This
+      fixes LOGBACK-1465.
+  * Changes of version 1.2.5
+    + Instead of an Appender, the LayoutWrappingEncoder now accepts
+      a variable of type ContextAware as a parent. This fixes
+      LOGBACK-1326.
+  * Changes of version 1.2.4
+    + Added support for minimum length in %i filename pattern. This
+      fixes LOGBACK-1248.
+    + For size bound log file archiving, allow
+      TimeBasedArchiveRemove to remove files with indexes containing
+      upto 5 digits. This fixes LOGBACK-1175.
+    + Added %prefix composite converter which automatically prefixes
+      child converter output with the name of the converter. This
+      feature is quite handy in environments where log files need to
+      be parsed and monitored.
+- Changed patch:
+  * logback-1.1.11-jetty.patch -> logback-1.2.8-jetty.patch
+    + Rediff to changed context
+
 -------------------------------------------------------------------
 Fri Nov 29 12:15:18 UTC 2019 - Fridrich Strba <fstrba@suse.com>
 
 - Do not force building with java < 9
-- Specifiy maven.compiler.release=8 to access the
+- Specify maven.compiler.release=8 to access the
   java.util.function.Supplier API, introduced in java 8
 - Added patch:
   * logback-1.2.3-getCallerClass.patch
     + Access the sun.reflect.Reflection.getCallerClass by
-      by reflection, in order to be able to build with jdk >= 9
+      reflection, in order to be able to build with jdk >= 9
 
 -------------------------------------------------------------------
 Sun Nov 17 19:45:03 UTC 2019 - Fridrich Strba <fstrba@suse.com>

logback.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package logback
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,14 +17,14 @@
 
 
 Name:           logback
-Version:        1.2.3
+Version:        1.2.8
 Release:        0
 Summary:        A Java logging library
-License:        LGPL-2.1-or-later OR EPL-1.0
+License:        EPL-1.0 OR LGPL-2.1-or-later
 URL:            https://logback.qos.ch/
 Source0:        %{name}-%{version}.tar.xz
 # Remove deprecated methods
-Patch0:         %{name}-1.1.11-jetty.patch
+Patch0:         %{name}-1.2.8-jetty.patch
 Patch1:         logback-1.2.3-getCallerClass.patch
 BuildRequires:  fdupes
 BuildRequires:  maven-local
@@ -112,6 +112,21 @@ rm -r %{name}-*/src/test/java/*
 
 %pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'javadocjar']"
 
+%if %{?pkg_vcmp:%pkg_vcmp gmavenplus-plugin < 1.6}%{!?pkg_vcmp:0}
+%pom_remove_plugin "org.codehaus.gmavenplus:gmavenplus-plugin" logback-classic
+%pom_add_plugin "org.codehaus.gmavenplus:gmavenplus-plugin:1.5" logback-classic "
+        <executions>
+          <execution>
+            <goals>
+              <goal>generateStubs</goal>
+              <goal>compile</goal>
+              <goal>testGenerateStubs</goal>
+              <goal>testCompile</goal>
+            </goals>
+          </execution>
+        </executions>"
+%endif
+
 # disable for now
 %pom_disable_module logback-site