You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by cz...@apache.org on 2021/12/17 16:05:43 UTC
[sling-org-apache-sling-commons-log] branch master updated: SLING-11021 : Update logback to 1.2.9 for CVE-2021-42550
This is an automated email from the ASF dual-hosted git repository.
cziegeler pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-commons-log.git
The following commit(s) were added to refs/heads/master by this push:
new b4650f1 SLING-11021 : Update logback to 1.2.9 for CVE-2021-42550
b4650f1 is described below
commit b4650f1fd04f7ffabdda71052cf153cc05676d94
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Fri Dec 17 17:05:36 2021 +0100
SLING-11021 : Update logback to 1.2.9 for CVE-2021-42550
---
pom.xml | 10 +++++++++-
.../sling/commons/log/logback/internal/LogbackManager.java | 12 +-----------
2 files changed, 10 insertions(+), 12 deletions(-)
diff --git a/pom.xml b/pom.xml
index 154efd0..5d8d258 100644
--- a/pom.xml
+++ b/pom.xml
@@ -46,7 +46,7 @@
<properties>
<slf4j.version>1.7.32</slf4j.version>
- <logback.version>1.2.8</logback.version>
+ <logback.version>1.2.9</logback.version>
<!-- Higher versions of pax exam cause class loading errors -->
<pax-exam.version>4.13.2</pax-exam.version>
<sling.java.version>8</sling.java.version>
@@ -83,6 +83,14 @@
<groupId>biz.aQute.bnd</groupId>
<artifactId>bnd-maven-plugin</artifactId>
</plugin>
+ <plugin>
+ <groupId>biz.aQute.bnd</groupId>
+ <artifactId>bnd-baseline-maven-plugin</artifactId>
+ <configuration>
+ <!-- Disable for changes between logback 1.2.8 and 1.2.9 -->
+ <skip>true</skip>
+ </configuration>
+ </plugin>
<!-- Required for pax exam-->
<plugin>
<groupId>org.codehaus.mojo</groupId>
diff --git a/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java b/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java
index e4e0557..e175118 100644
--- a/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java
+++ b/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java
@@ -53,14 +53,12 @@ import org.slf4j.bridge.SLF4JBridgeHandler;
import ch.qos.logback.classic.Level;
import ch.qos.logback.classic.Logger;
import ch.qos.logback.classic.LoggerContext;
-import ch.qos.logback.classic.gaffer.GafferUtil;
import ch.qos.logback.classic.joran.JoranConfigurator;
import ch.qos.logback.classic.jul.LevelChangePropagator;
import ch.qos.logback.classic.spi.ILoggingEvent;
import ch.qos.logback.classic.spi.LoggerContextAwareBase;
import ch.qos.logback.classic.spi.LoggerContextListener;
import ch.qos.logback.classic.turbo.TurboFilter;
-import ch.qos.logback.classic.util.EnvUtil;
import ch.qos.logback.core.Appender;
import ch.qos.logback.core.joran.GenericConfigurator;
import ch.qos.logback.core.joran.event.SaxEvent;
@@ -623,15 +621,7 @@ public class LogbackManager extends LoggerContextAwareBase {
if (configFile.getName().endsWith("xml")) {
configurator.doConfigure(configFile);
} else if (configFile.getName().endsWith("groovy")) {
- if (EnvUtil.isGroovyAvailable()) {
- // avoid directly referring to GafferConfigurator so as to
- // avoid
- // loading groovy.lang.GroovyObject . See also
- // http://jira.qos.ch/browse/LBCLASSIC-214
- GafferUtil.runGafferConfiguratorOn(getLoggerContext(), this, configFile);
- } else {
- addError("Groovy classes are not available on the class path. ABORTING INITIALIZATION.");
- }
+ addError("Configuration with groogy files is not supported in logback anymore. ABORTING INITIALIZATION.");
}
}