OBS-URL: https://build.opensuse.org/package/show/Java:packages/logback?expand=0&rev=8

logback.changes

@@ -1,26 +1,26 @@
 -------------------------------------------------------------------
 Thu Dec 16 16:21:39 UTC 2021 - Fridrich Strba <fstrba@suse.com>
 
-- Upgrade to version 1.2.8
+- Upgrade to version 1.2.8 (bsc#1193795)
   * Changes of version 1.2.8
-    + In response to LOGBACK-1591, we have disabled all JNDI lookup
+    + In response to LOGBACK-1591, all JNDI lookup code in logback
-      code in logback until further notice. This impacts
+	  has been disabled until further notice. This impacts
       ContextJNDISelector and <insertFromJNDI> element in
       configuration files.
-    + Also in response to LOGBACK-1591, we have removed all database
+    + Also in response to LOGBACK-1591, all database (JDBC) related
-      (JDBC) related code in the project with no replacement.
+	  code in the project has been removed with no replacement.
     + Note that the vulnerability mentioned in LOGBACK-1591 requires
       write access to logback's configuration file as a
-	  prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591
+      prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591
-	  are of different severity levels. A successful RCE requires
+      are of different severity levels. A successful RCE requires
-	  all of the following conditions to be met:
+      all of the following conditions to be met:
       - write access to logback.xml
       - use of versions < 1.2.8
       - reloading of poisoned configuration data, which implies
         application restart or scan="true" set prior to attack
     + As an additional extra precaution, in addition to upgrading to
       logback version 1.2.8, the users are advised to set their
-	  logback configuration files as read-only.
+      logback configuration files as read-only.
   * Changes of version 1.2.7
     + Added hostnameVerification to property SSLSocketAppender.
       This fixes LOGBACK-1574.