From fbd2d48c5e67052589dc93281c825af8313aa3f7d617f5aa5f60eb6725261911 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 16 Dec 2021 16:31:11 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/Java:packages/logback?expand=0&rev=8 --- logback.changes | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/logback.changes b/logback.changes index af7f9e6..d47ac10 100644 --- a/logback.changes +++ b/logback.changes @@ -1,26 +1,26 @@ ------------------------------------------------------------------- Thu Dec 16 16:21:39 UTC 2021 - Fridrich Strba -- Upgrade to version 1.2.8 +- Upgrade to version 1.2.8 (bsc#1193795) * Changes of version 1.2.8 - + In response to LOGBACK-1591, we have disabled all JNDI lookup - code in logback until further notice. This impacts + + In response to LOGBACK-1591, all JNDI lookup code in logback + has been disabled until further notice. This impacts ContextJNDISelector and element in configuration files. - + Also in response to LOGBACK-1591, we have removed all database - (JDBC) related code in the project with no replacement. + + Also in response to LOGBACK-1591, all database (JDBC) related + code in the project has been removed with no replacement. + Note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a - prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591 - are of different severity levels. A successful RCE requires - all of the following conditions to be met: + prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591 + are of different severity levels. A successful RCE requires + all of the following conditions to be met: - write access to logback.xml - use of versions < 1.2.8 - reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack + As an additional extra precaution, in addition to upgrading to logback version 1.2.8, the users are advised to set their - logback configuration files as read-only. + logback configuration files as read-only. * Changes of version 1.2.7 + Added hostnameVerification to property SSLSocketAppender. This fixes LOGBACK-1574.