This commit is contained in:
Fridrich Strba
Git OBS Bridge
parent
db2e494c01
commit
3a671b83bd
@ -13,7 +13,6 @@
|
|||||||
<groupId>org.codehaus.janino</groupId>
|
<groupId>org.codehaus.janino</groupId>
|
||||||
<artifactId>janino</artifactId>
|
<artifactId>janino</artifactId>
|
||||||
<scope>compile</scope>
|
<scope>compile</scope>
|
||||||
Only in logback-1.2.8/logback-access: pom.xml.orig
|
|
||||||
--- logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-14 12:55:51.000000000 +0100
|
--- logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-14 12:55:51.000000000 +0100
|
||||||
+++ logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-16 15:35:11.255651389 +0100
|
+++ logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-16 15:35:11.255651389 +0100
|
||||||
@@ -209,11 +209,6 @@
|
@@ -209,11 +209,6 @@
|
||||||
|
|||||||
@ -1,3 +1,51 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Dec 16 16:21:39 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
||||||
|
|
||||||
|
- Upgrade to version 1.2.8
|
||||||
|
* Changes of version 1.2.8
|
||||||
|
+ In response to LOGBACK-1591, we have disabled all JNDI lookup
|
||||||
|
code in logback until further notice. This impacts
|
||||||
|
ContextJNDISelector and <insertFromJNDI> element in
|
||||||
|
configuration files.
|
||||||
|
+ Also in response to LOGBACK-1591, we have removed all database
|
||||||
|
(JDBC) related code in the project with no replacement.
|
||||||
|
+ Note that the vulnerability mentioned in LOGBACK-1591 requires
|
||||||
|
write access to logback's configuration file as a
|
||||||
|
prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591
|
||||||
|
are of different severity levels. A successful RCE requires
|
||||||
|
all of the following conditions to be met:
|
||||||
|
- write access to logback.xml
|
||||||
|
- use of versions < 1.2.8
|
||||||
|
- reloading of poisoned configuration data, which implies
|
||||||
|
application restart or scan="true" set prior to attack
|
||||||
|
+ As an additional extra precaution, in addition to upgrading to
|
||||||
|
logback version 1.2.8, the users are advised to set their
|
||||||
|
logback configuration files as read-only.
|
||||||
|
* Changes of version 1.2.7
|
||||||
|
+ Added hostnameVerification to property SSLSocketAppender.
|
||||||
|
This fixes LOGBACK-1574.
|
||||||
|
* Changes of version 1.2.6
|
||||||
|
+ To prevent XML eXternal Entity injection (XXE) attacks, Joran
|
||||||
|
no longer reads external entities passed in XML files. This
|
||||||
|
fixes LOGBACK-1465.
|
||||||
|
* Changes of version 1.2.5
|
||||||
|
+ Instead of an Appender, the LayoutWrappingEncoder now accepts
|
||||||
|
a variable of type ContextAware as a parent. This fixes
|
||||||
|
LOGBACK-1326.
|
||||||
|
* Changes of version 1.2.4
|
||||||
|
+ Added support for minimum length in %i filename pattern. This
|
||||||
|
fixes LOGBACK-1248.
|
||||||
|
+ For size bound log file archiving, allow
|
||||||
|
TimeBasedArchiveRemove to remove files with indexes containing
|
||||||
|
upto 5 digits. This fixes LOGBACK-1175.
|
||||||
|
+ Added %prefix composite converter which automatically prefixes
|
||||||
|
child converter output with the name of the converter. This
|
||||||
|
feature is quite handy in environments where log files need to
|
||||||
|
be parsed and monitored.
|
||||||
|
- Changed patch:
|
||||||
|
* logback-1.1.11-jetty.patch -> logback-1.2.8-jetty.patch
|
||||||
|
+ Rediff to changed context
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Nov 29 12:15:18 UTC 2019 - Fridrich Strba <fstrba@suse.com>
|
Fri Nov 29 12:15:18 UTC 2019 - Fridrich Strba <fstrba@suse.com>
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user