From 3a671b83bd425b6391aeca22bad32ab28f3fd7ba990077615bb8114f507e603a Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 16 Dec 2021 16:28:09 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/Java:packages/logback?expand=0&rev=7 --- logback-1.2.8-jetty.patch | 1 - logback.changes | 48 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) diff --git a/logback-1.2.8-jetty.patch b/logback-1.2.8-jetty.patch index 447345a..c11a41f 100644 --- a/logback-1.2.8-jetty.patch +++ b/logback-1.2.8-jetty.patch @@ -13,7 +13,6 @@ org.codehaus.janino janino compile -Only in logback-1.2.8/logback-access: pom.xml.orig --- logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-14 12:55:51.000000000 +0100 +++ logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-16 15:35:11.255651389 +0100 @@ -209,11 +209,6 @@ diff --git a/logback.changes b/logback.changes index f9b88f2..af7f9e6 100644 --- a/logback.changes +++ b/logback.changes @@ -1,3 +1,51 @@ +------------------------------------------------------------------- +Thu Dec 16 16:21:39 UTC 2021 - Fridrich Strba + +- Upgrade to version 1.2.8 + * Changes of version 1.2.8 + + In response to LOGBACK-1591, we have disabled all JNDI lookup + code in logback until further notice. This impacts + ContextJNDISelector and element in + configuration files. + + Also in response to LOGBACK-1591, we have removed all database + (JDBC) related code in the project with no replacement. + + Note that the vulnerability mentioned in LOGBACK-1591 requires + write access to logback's configuration file as a + prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591 + are of different severity levels. A successful RCE requires + all of the following conditions to be met: + - write access to logback.xml + - use of versions < 1.2.8 + - reloading of poisoned configuration data, which implies + application restart or scan="true" set prior to attack + + As an additional extra precaution, in addition to upgrading to + logback version 1.2.8, the users are advised to set their + logback configuration files as read-only. + * Changes of version 1.2.7 + + Added hostnameVerification to property SSLSocketAppender. + This fixes LOGBACK-1574. + * Changes of version 1.2.6 + + To prevent XML eXternal Entity injection (XXE) attacks, Joran + no longer reads external entities passed in XML files. This + fixes LOGBACK-1465. + * Changes of version 1.2.5 + + Instead of an Appender, the LayoutWrappingEncoder now accepts + a variable of type ContextAware as a parent. This fixes + LOGBACK-1326. + * Changes of version 1.2.4 + + Added support for minimum length in %i filename pattern. This + fixes LOGBACK-1248. + + For size bound log file archiving, allow + TimeBasedArchiveRemove to remove files with indexes containing + upto 5 digits. This fixes LOGBACK-1175. + + Added %prefix composite converter which automatically prefixes + child converter output with the name of the converter. This + feature is quite handy in environments where log files need to + be parsed and monitored. +- Changed patch: + * logback-1.1.11-jetty.patch -> logback-1.2.8-jetty.patch + + Rediff to changed context + ------------------------------------------------------------------- Fri Nov 29 12:15:18 UTC 2019 - Fridrich Strba