You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Tamás Cservenák (Jira)" <ji...@apache.org> on 2022/04/08 08:09:00 UTC

[jira] [Closed] (MNG-7441) Update Version of Logback to Address CVE-2021-42550

     [ https://issues.apache.org/jira/browse/MNG-7441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tamás Cservenák closed MNG-7441.
--------------------------------

> Update Version of Logback to Address CVE-2021-42550
> ---------------------------------------------------
>
>                 Key: MNG-7441
>                 URL: https://issues.apache.org/jira/browse/MNG-7441
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.8.5
>            Reporter: Mac Hale
>            Assignee: Tamás Cservenák
>            Priority: Major
>             Fix For: 3.8.6, 3.9.0, 4.0.0
>
>
> [CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present in Logback versions 1.2.7 and earlier. Maven uses v 1.2.1. Please update to Logback 1.2.9, which includes a fix as per [https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].]
> I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a version specified in {{./maven-embedder/pom.xml}}
> But I'm no expert on this code base so it's possible there are other versioned references.
> Edit: One could argue, as the Logback team has done, that the CVE is unimportant since in order to exploit it one must already have compromised the system. However, security scanners pick this up as an issue, causing unnecessary work and justifications.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)