OBS-URL: https://build.opensuse.org/package/show/Java:packages/logback?expand=0&rev=7

2021-12-16 16:28:09 +00:00 · 2021-12-16 16:28:09 +00:00 · 3a671b83bd
commit 3a671b83bd
parent db2e494c01
2 changed files with 48 additions and 1 deletions
--- a/logback-1.2.8-jetty.patch
+++ b/logback-1.2.8-jetty.patch
@ -13,7 +13,6 @@
       <groupId>org.codehaus.janino</groupId>
       <artifactId>janino</artifactId>
       <scope>compile</scope>
-Only in logback-1.2.8/logback-access: pom.xml.orig
 --- logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java	2021-12-14 12:55:51.000000000 +0100
 +++ logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java	2021-12-16 15:35:11.255651389 +0100
@@ -209,11 +209,6 @@
--- a/logback.changes
+++ b/logback.changes
@ -1,3 +1,51 @@
+-------------------------------------------------------------------
+Thu Dec 16 16:21:39 UTC 2021 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 1.2.8
+  * Changes of version 1.2.8
+    + In response to LOGBACK-1591, we have disabled all JNDI lookup
+      code in logback until further notice. This impacts
+      ContextJNDISelector and <insertFromJNDI> element in
+      configuration files.
+    + Also in response to LOGBACK-1591, we have removed all database
+      (JDBC) related code in the project with no replacement.
+    + Note that the vulnerability mentioned in LOGBACK-1591 requires
+      write access to logback's configuration file as a
+	  prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591
+	  are of different severity levels. A successful RCE requires
+	  all of the following conditions to be met:
+      - write access to logback.xml
+      - use of versions < 1.2.8
+      - reloading of poisoned configuration data, which implies
+        application restart or scan="true" set prior to attack
+    + As an additional extra precaution, in addition to upgrading to
+      logback version 1.2.8, the users are advised to set their
+	  logback configuration files as read-only.
+  * Changes of version 1.2.7
+    + Added hostnameVerification to property SSLSocketAppender.
+      This fixes LOGBACK-1574.
+  * Changes of version 1.2.6
+    + To prevent XML eXternal Entity injection (XXE) attacks, Joran
+      no longer reads external entities passed in XML files. This
+      fixes LOGBACK-1465.
+  * Changes of version 1.2.5
+    + Instead of an Appender, the LayoutWrappingEncoder now accepts
+      a variable of type ContextAware as a parent. This fixes
+      LOGBACK-1326.
+  * Changes of version 1.2.4
+    + Added support for minimum length in %i filename pattern. This
+      fixes LOGBACK-1248.
+    + For size bound log file archiving, allow
+      TimeBasedArchiveRemove to remove files with indexes containing
+      upto 5 digits. This fixes LOGBACK-1175.
+    + Added %prefix composite converter which automatically prefixes
+      child converter output with the name of the converter. This
+      feature is quite handy in environments where log files need to
+      be parsed and monitored.
+- Changed patch:
+  * logback-1.1.11-jetty.patch -> logback-1.2.8-jetty.patch
+    + Rediff to changed context
+
 -------------------------------------------------------------------
 Fri Nov 29 12:15:18 UTC 2019 - Fridrich Strba <fstrba@suse.com>