From df6c1e89d4075b6bb30df288d06c04d8dbc9e028a9887cbd4a0e588f21cfc944 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 28 Apr 2022 05:21:59 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/Java:packages/logback?expand=0&rev=13 --- _service | 6 ++++-- logback-1.2.11.tar.xz | 3 +++ logback-1.2.8.tar.xz | 3 --- logback.changes | 38 ++++++++++++++++++++++++++++++++++++-- logback.spec | 16 +++------------- 5 files changed, 46 insertions(+), 20 deletions(-) create mode 100644 logback-1.2.11.tar.xz delete mode 100644 logback-1.2.8.tar.xz diff --git a/_service b/_service index 0c1c112..e7872b5 100644 --- a/_service +++ b/_service @@ -2,8 +2,10 @@ git https://github.com/qos-ch/logback.git - v_1.2.8 - 1.2.8 + v_1.2.11 + v_* + @PARENT_TAG@ + v_(.*) logback logback-access/lib diff --git a/logback-1.2.11.tar.xz b/logback-1.2.11.tar.xz new file mode 100644 index 0000000..ffbbe98 --- /dev/null +++ b/logback-1.2.11.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f19bb3aa39c84a58f5c083220b3b9a7982693242ac99234cf304943bde037572 +size 2970784 diff --git a/logback-1.2.8.tar.xz b/logback-1.2.8.tar.xz deleted file mode 100644 index 1b5ed6f..0000000 --- a/logback-1.2.8.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e8e9455e20c8709cc6cf4099a2ff288500255e50e884e05419c992b516b395cf -size 2976640 diff --git a/logback.changes b/logback.changes index afdc6f7..f5d99e3 100644 --- a/logback.changes +++ b/logback.changes @@ -1,3 +1,37 @@ +------------------------------------------------------------------- +Thu Apr 28 04:54:39 UTC 2022 - Fridrich Strba + +- Upgrade to upstream version 1.2.11 + * Backported fix for LOGBACK-1027. + * Fixed incorrect String cast in JNDIUtil. This corrects + LOGBACK-1604. + * In SMTPAppenderBase empty username parameter is now treated the + same way as null. This fixes LOGBACK-1594. + * ContextInitializer no longer complains about missing + logback.groovy configuration file. This fixes LOGBACK-1601. + * In response to CVE-2021-42550 (aka LOGBACK-1591) the following + steps were made: + 1) Hardened logback's JNDI lookup mechanism to only honor + requests in the java: namespace. All other types of requests + are ignored. + 2) SMTPAppender was hardened. + 3) Temporarily removed DB support for security reasons. + 4) Removed Groovy configuration support. As logging is so + pervasive and configuration with Groovy is probably too + powerful, this feature is unlikely to be reinstated for + security reasons. + The aforementioned vulnerability requires write access to + logback's configuration file as a prerequisite. A successul + RCE attack with CVE-2021-42550 requires all of the following + conditions to be met: + + write access to logback.xml + + use of versions < 1.2.9 + + reloading of poisoned configuration data, which implies + application restart or scan="true" set prior to attack +- Set project.build.sourceEncoding property to ISO-8859-1 to + avoid the new maven-resources-plugin chocking on trying to filter + in UTF-8 encoding JKS (binary) resources + ------------------------------------------------------------------- Tue Feb 22 18:16:52 UTC 2022 - Fridrich Strba @@ -18,11 +52,11 @@ Thu Dec 16 16:21:39 UTC 2021 - Fridrich Strba - Upgrade to version 1.2.8 (bsc#1193795) * Changes of version 1.2.8 + In response to LOGBACK-1591, all JNDI lookup code in logback - has been disabled until further notice. This impacts + has been disabled until further notice. This impacts ContextJNDISelector and element in configuration files. + Also in response to LOGBACK-1591, all database (JDBC) related - code in the project has been removed with no replacement. + code in the project has been removed with no replacement. + Note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591 diff --git a/logback.spec b/logback.spec index db2e583..abbca4b 100644 --- a/logback.spec +++ b/logback.spec @@ -17,7 +17,7 @@ Name: logback -Version: 1.2.8 +Version: 1.2.11 Release: 0 Summary: A Java logging library License: EPL-1.0 OR LGPL-2.1-or-later @@ -37,15 +37,12 @@ BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) BuildRequires: mvn(org.apache.tomcat:tomcat-catalina) BuildRequires: mvn(org.apache.tomcat:tomcat-coyote) -BuildRequires: mvn(org.codehaus.gmavenplus:gmavenplus-plugin) -BuildRequires: mvn(org.codehaus.groovy:groovy-all) BuildRequires: mvn(org.codehaus.janino:janino) BuildRequires: mvn(org.eclipse.jetty:jetty-server) BuildRequires: mvn(org.eclipse.jetty:jetty-util) BuildRequires: mvn(org.fusesource.jansi:jansi) BuildRequires: mvn(org.slf4j:slf4j-api) BuildRequires: mvn(org.slf4j:slf4j-ext) -#!BuildRequires: groovy-lib BuildArch: noarch %description @@ -108,13 +105,9 @@ rm -r %{name}-*/src/test/java/* # com.oracle:ojdbc14:10.2.0.1 com.microsoft.sqlserver:sqljdbc4:2.0 %pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'host-orion']" %{name}-access -%pom_xpath_remove "pom:project/pom:profiles" %{name}-classic %pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'javadocjar']" -%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'generateTestStubs']" logback-classic -%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'compileTests']" logback-classic - # disable for now %pom_disable_module logback-site @@ -125,14 +118,11 @@ rm -r %{name}-*/src/test/java/* %build -# unavailable test dep maven-scala-plugin -# slf4jJAR and org.apache.felix.main are required by logback-examples modules for maven-antrun-plugin %{mvn_build} -f -- \ %if %{?pkg_vcmp:%pkg_vcmp java-devel >= 9}%{!?pkg_vcmp:0} - -Dmaven.compiler.release=8 \ + -Dmaven.compiler.release=8 \ %endif - -Dorg.slf4j:slf4j-api:jar=$(build-classpath slf4j/api) \ - -Dorg.apache.felix:org.apache.felix.main:jar=$(build-classpath felix/org.apache.felix.main) + -Dsource=8 -Dproject.build.sourceEncoding=ISO-8859-1 %install %mvn_install