pool/logback
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/Java:packages/logback?expand=0&rev=13

Browse Source
This commit is contained in:
Fridrich Strba 2022-04-28 05:21:59 +00:00 committed by Git OBS Bridge
parent fd2f6b8924
commit df6c1e89d4
5 changed files with 46 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
_service
View File

@ -2,8 +2,10 @@
<service name="tar_scm" mode="disabled">
<param name="scm">git</param>
<param name="url">https://github.com/qos-ch/logback.git</param>
<param name="revision">v_1.2.8</param>
<param name="versionformat">1.2.8</param>
<param name="revision">v_1.2.11</param>
<param name="match-tag">v_*</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v_(.*)</param>
<param name="filename">logback</param>
<param name="exclude">logback-access/lib</param>
</service>

3
logback-1.2.11.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f19bb3aa39c84a58f5c083220b3b9a7982693242ac99234cf304943bde037572
size 2970784

3
logback-1.2.8.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e8e9455e20c8709cc6cf4099a2ff288500255e50e884e05419c992b516b395cf
size 2976640

38
logback.changes
View File

@ -1,3 +1,37 @@
-------------------------------------------------------------------
Thu Apr 28 04:54:39 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 1.2.11
* Backported fix for LOGBACK-1027.
* Fixed incorrect String cast in JNDIUtil. This corrects
LOGBACK-1604.
* In SMTPAppenderBase empty username parameter is now treated the
same way as null. This fixes LOGBACK-1594.
* ContextInitializer no longer complains about missing
logback.groovy configuration file. This fixes LOGBACK-1601.
* In response to CVE-2021-42550 (aka LOGBACK-1591) the following
steps were made:
1) Hardened logback's JNDI lookup mechanism to only honor
requests in the java: namespace. All other types of requests
are ignored.
2) SMTPAppender was hardened.
3) Temporarily removed DB support for security reasons.
4) Removed Groovy configuration support. As logging is so
pervasive and configuration with Groovy is probably too
powerful, this feature is unlikely to be reinstated for
security reasons.
The aforementioned vulnerability requires write access to
logback's configuration file as a prerequisite. A successul
RCE attack with CVE-2021-42550 requires all of the following
conditions to be met:
+ write access to logback.xml
+ use of versions < 1.2.9
+ reloading of poisoned configuration data, which implies
application restart or scan="true" set prior to attack
- Set project.build.sourceEncoding property to ISO-8859-1 to
avoid the new maven-resources-plugin chocking on trying to filter
in UTF-8 encoding JKS (binary) resources
-------------------------------------------------------------------
Tue Feb 22 18:16:52 UTC 2022 - Fridrich Strba <fstrba@suse.com>
@ -18,11 +52,11 @@ Thu Dec 16 16:21:39 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Upgrade to version 1.2.8 (bsc#1193795)
* Changes of version 1.2.8
+ In response to LOGBACK-1591, all JNDI lookup code in logback
has been disabled until further notice. This impacts
has been disabled until further notice. This impacts
ContextJNDISelector and <insertFromJNDI> element in
configuration files.
+ Also in response to LOGBACK-1591, all database (JDBC) related
code in the project has been removed with no replacement.
code in the project has been removed with no replacement.
+ Note that the vulnerability mentioned in LOGBACK-1591 requires
write access to logback's configuration file as a
prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591

16
logback.spec
View File

@ -17,7 +17,7 @@
Name: logback
Version: 1.2.8
Version: 1.2.11
Release: 0
Summary: A Java logging library
License: EPL-1.0 OR LGPL-2.1-or-later
@ -37,15 +37,12 @@ BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin)
BuildRequires: mvn(org.apache.tomcat:tomcat-catalina)
BuildRequires: mvn(org.apache.tomcat:tomcat-coyote)
BuildRequires: mvn(org.codehaus.gmavenplus:gmavenplus-plugin)
BuildRequires: mvn(org.codehaus.groovy:groovy-all)
BuildRequires: mvn(org.codehaus.janino:janino)
BuildRequires: mvn(org.eclipse.jetty:jetty-server)
BuildRequires: mvn(org.eclipse.jetty:jetty-util)
BuildRequires: mvn(org.fusesource.jansi:jansi)
BuildRequires: mvn(org.slf4j:slf4j-api)
BuildRequires: mvn(org.slf4j:slf4j-ext)
#!BuildRequires: groovy-lib
BuildArch: noarch
%description
@ -108,13 +105,9 @@ rm -r %{name}-*/src/test/java/*
# com.oracle:ojdbc14:10.2.0.1 com.microsoft.sqlserver:sqljdbc4:2.0
%pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'host-orion']" %{name}-access
%pom_xpath_remove "pom:project/pom:profiles" %{name}-classic
%pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'javadocjar']"
%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'generateTestStubs']" logback-classic
%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'compileTests']" logback-classic
# disable for now
%pom_disable_module logback-site
@ -125,14 +118,11 @@ rm -r %{name}-*/src/test/java/*
%build
# unavailable test dep maven-scala-plugin
# slf4jJAR and org.apache.felix.main are required by logback-examples modules for maven-antrun-plugin
%{mvn_build} -f -- \
%if %{?pkg_vcmp:%pkg_vcmp java-devel >= 9}%{!?pkg_vcmp:0}
-Dmaven.compiler.release=8 \
-Dmaven.compiler.release=8 \
%endif
-Dorg.slf4j:slf4j-api:jar=$(build-classpath slf4j/api) \
-Dorg.apache.felix:org.apache.felix.main:jar=$(build-classpath felix/org.apache.felix.main)
-Dsource=8 -Dproject.build.sourceEncoding=ISO-8859-1
%install
%mvn_install