You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "Paul King (Jira)" <ji...@apache.org> on 2021/12/23 02:23:00 UTC
[jira] [Updated] (GROOVY-10431) Bump logback to 1.2.9 (test dependency)
[ https://issues.apache.org/jira/browse/GROOVY-10431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul King updated GROOVY-10431:
-------------------------------
Description:
Groovy doesn't bundle a version of Logback in its distribution nor list it as a dependency in its pom (or bom), so isn't directly affected by CVE-2021-42550. Folks using logback directly may wish to upgrade their version or follow the advice in the links.
Note that Logback 1.2.9 disables Groovy configuration support for being "too powerful". Users relying on that feature may wish to stay using Logback 1.2.8 but please ensure your configuration files have appropriate file system protections.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42550
https://jira.qos.ch/browse/LOGBACK-1591
> Bump logback to 1.2.9 (test dependency)
> ---------------------------------------
>
> Key: GROOVY-10431
> URL: https://issues.apache.org/jira/browse/GROOVY-10431
> Project: Groovy
> Issue Type: Dependency upgrade
> Reporter: Paul King
> Priority: Major
>
> Groovy doesn't bundle a version of Logback in its distribution nor list it as a dependency in its pom (or bom), so isn't directly affected by CVE-2021-42550. Folks using logback directly may wish to upgrade their version or follow the advice in the links.
> Note that Logback 1.2.9 disables Groovy configuration support for being "too powerful". Users relying on that feature may wish to stay using Logback 1.2.8 but please ensure your configuration files have appropriate file system protections.
> See also:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42550
> https://jira.qos.ch/browse/LOGBACK-1591
--
This message was sent by Atlassian Jira
(v8.20.1#820001)