You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Guillaume Nodet (Jira)" <ji...@apache.org> on 2022/10/20 08:11:02 UTC

[jira] [Updated] (MNG-7441) Update Version of (optional) Logback to Address CVE-2021-42550

     [ https://issues.apache.org/jira/browse/MNG-7441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Guillaume Nodet updated MNG-7441:
---------------------------------
    Fix Version/s: 4.0.0-alpha-2

> Update Version of (optional) Logback to Address CVE-2021-42550
> --------------------------------------------------------------
>
>                 Key: MNG-7441
>                 URL: https://issues.apache.org/jira/browse/MNG-7441
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.8.5
>            Reporter: Mac Hale
>            Assignee: Tamas Cservenak
>            Priority: Major
>             Fix For: 3.8.6, 3.9.0, 4.0.0-alpha-1, 4.0.0-alpha-2, 4.0.0
>
>
> [CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present in Logback versions 1.2.7 and earlier. Maven (optionally) uses v 1.2.1. Please update to Logback 1.2.9, which includes a fix as per [https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].]
> I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a version specified in {{./maven-embedder/pom.xml}}
> But I'm no expert on this code base so it's possible there are other versioned references.
> Edit: One could argue, as the Logback team has done, that the CVE is unimportant since in order to exploit it one must already have compromised the system. However, security scanners pick this up as an issue, causing unnecessary work and justifications.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)