You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2022/04/07 09:58:00 UTC

[jira] [Commented] (MNG-7441) Update Version of Logback to Address CVE-2021-42550

    [ https://issues.apache.org/jira/browse/MNG-7441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518754#comment-17518754 ] 

Michael Osipov commented on MNG-7441:
-------------------------------------

Doens't this apply to 3.9.x and 4.x as well?

> Update Version of Logback to Address CVE-2021-42550
> ---------------------------------------------------
>
>                 Key: MNG-7441
>                 URL: https://issues.apache.org/jira/browse/MNG-7441
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.8.5
>            Reporter: Mac Hale
>            Priority: Major
>             Fix For: 3.8.6
>
>
> [CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present in Logback versions 1.2.7 and earlier. Maven uses v 1.2.1. Please update to Logback 1.2.9, which includes a fix as per [https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].]
> I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a version specified in {{./maven-embedder/pom.xml}}
> But I'm no expert on this code base so it's possible there are other versioned references.
> Edit: One could argue, as the Logback team has done, that the CVE is unimportant since in order to exploit it one must already have compromised the system. However, security scanners pick this up as an issue, causing unnecessary work and justifications.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)