diff --git a/_service b/_service
index 0c1c112..e7872b5 100644
--- a/_service
+++ b/_service
@@ -2,8 +2,10 @@
git
https://github.com/qos-ch/logback.git
- v_1.2.8
- 1.2.8
+ v_1.2.11
+ v_*
+ @PARENT_TAG@
+ v_(.*)
logback
logback-access/lib
diff --git a/logback-1.2.11.tar.xz b/logback-1.2.11.tar.xz
new file mode 100644
index 0000000..ffbbe98
--- /dev/null
+++ b/logback-1.2.11.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f19bb3aa39c84a58f5c083220b3b9a7982693242ac99234cf304943bde037572
+size 2970784
diff --git a/logback-1.2.8.tar.xz b/logback-1.2.8.tar.xz
deleted file mode 100644
index 1b5ed6f..0000000
--- a/logback-1.2.8.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e8e9455e20c8709cc6cf4099a2ff288500255e50e884e05419c992b516b395cf
-size 2976640
diff --git a/logback.changes b/logback.changes
index afdc6f7..f5d99e3 100644
--- a/logback.changes
+++ b/logback.changes
@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Thu Apr 28 04:54:39 UTC 2022 - Fridrich Strba
+
+- Upgrade to upstream version 1.2.11
+ * Backported fix for LOGBACK-1027.
+ * Fixed incorrect String cast in JNDIUtil. This corrects
+ LOGBACK-1604.
+ * In SMTPAppenderBase empty username parameter is now treated the
+ same way as null. This fixes LOGBACK-1594.
+ * ContextInitializer no longer complains about missing
+ logback.groovy configuration file. This fixes LOGBACK-1601.
+ * In response to CVE-2021-42550 (aka LOGBACK-1591) the following
+ steps were made:
+ 1) Hardened logback's JNDI lookup mechanism to only honor
+ requests in the java: namespace. All other types of requests
+ are ignored.
+ 2) SMTPAppender was hardened.
+ 3) Temporarily removed DB support for security reasons.
+ 4) Removed Groovy configuration support. As logging is so
+ pervasive and configuration with Groovy is probably too
+ powerful, this feature is unlikely to be reinstated for
+ security reasons.
+ The aforementioned vulnerability requires write access to
+ logback's configuration file as a prerequisite. A successul
+ RCE attack with CVE-2021-42550 requires all of the following
+ conditions to be met:
+ + write access to logback.xml
+ + use of versions < 1.2.9
+ + reloading of poisoned configuration data, which implies
+ application restart or scan="true" set prior to attack
+- Set project.build.sourceEncoding property to ISO-8859-1 to
+ avoid the new maven-resources-plugin chocking on trying to filter
+ in UTF-8 encoding JKS (binary) resources
+
-------------------------------------------------------------------
Tue Feb 22 18:16:52 UTC 2022 - Fridrich Strba
@@ -18,11 +52,11 @@ Thu Dec 16 16:21:39 UTC 2021 - Fridrich Strba
- Upgrade to version 1.2.8 (bsc#1193795)
* Changes of version 1.2.8
+ In response to LOGBACK-1591, all JNDI lookup code in logback
- has been disabled until further notice. This impacts
+ has been disabled until further notice. This impacts
ContextJNDISelector and element in
configuration files.
+ Also in response to LOGBACK-1591, all database (JDBC) related
- code in the project has been removed with no replacement.
+ code in the project has been removed with no replacement.
+ Note that the vulnerability mentioned in LOGBACK-1591 requires
write access to logback's configuration file as a
prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591
diff --git a/logback.spec b/logback.spec
index db2e583..abbca4b 100644
--- a/logback.spec
+++ b/logback.spec
@@ -17,7 +17,7 @@
Name: logback
-Version: 1.2.8
+Version: 1.2.11
Release: 0
Summary: A Java logging library
License: EPL-1.0 OR LGPL-2.1-or-later
@@ -37,15 +37,12 @@ BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin)
BuildRequires: mvn(org.apache.tomcat:tomcat-catalina)
BuildRequires: mvn(org.apache.tomcat:tomcat-coyote)
-BuildRequires: mvn(org.codehaus.gmavenplus:gmavenplus-plugin)
-BuildRequires: mvn(org.codehaus.groovy:groovy-all)
BuildRequires: mvn(org.codehaus.janino:janino)
BuildRequires: mvn(org.eclipse.jetty:jetty-server)
BuildRequires: mvn(org.eclipse.jetty:jetty-util)
BuildRequires: mvn(org.fusesource.jansi:jansi)
BuildRequires: mvn(org.slf4j:slf4j-api)
BuildRequires: mvn(org.slf4j:slf4j-ext)
-#!BuildRequires: groovy-lib
BuildArch: noarch
%description
@@ -108,13 +105,9 @@ rm -r %{name}-*/src/test/java/*
# com.oracle:ojdbc14:10.2.0.1 com.microsoft.sqlserver:sqljdbc4:2.0
%pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'host-orion']" %{name}-access
-%pom_xpath_remove "pom:project/pom:profiles" %{name}-classic
%pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'javadocjar']"
-%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'generateTestStubs']" logback-classic
-%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'compileTests']" logback-classic
-
# disable for now
%pom_disable_module logback-site
@@ -125,14 +118,11 @@ rm -r %{name}-*/src/test/java/*
%build
-# unavailable test dep maven-scala-plugin
-# slf4jJAR and org.apache.felix.main are required by logback-examples modules for maven-antrun-plugin
%{mvn_build} -f -- \
%if %{?pkg_vcmp:%pkg_vcmp java-devel >= 9}%{!?pkg_vcmp:0}
- -Dmaven.compiler.release=8 \
+ -Dmaven.compiler.release=8 \
%endif
- -Dorg.slf4j:slf4j-api:jar=$(build-classpath slf4j/api) \
- -Dorg.apache.felix:org.apache.felix.main:jar=$(build-classpath felix/org.apache.felix.main)
+ -Dsource=8 -Dproject.build.sourceEncoding=ISO-8859-1
%install
%mvn_install