You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Tamás Cservenák (Jira)" <ji...@apache.org> on 2022/04/08 08:05:00 UTC
[jira] [Comment Edited] (MNG-7441) Update Version of Logback to Address CVE-2021-42550
[ https://issues.apache.org/jira/browse/MNG-7441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519382#comment-17519382 ]
Tamás Cservenák edited comment on MNG-7441 at 4/8/22 8:04 AM:
--------------------------------------------------------------
Yes, I will create commit for 3.9 (as I guess PR voted for 3.8.x does it) and 4.0 (same thing). The change is trivial and there is consensus to do it (on 3.8.x PR), so let's not create a lot of noise.
was (Author: cstamas):
Yes, I will create PRs for 3.9 and 4.0
> Update Version of Logback to Address CVE-2021-42550
> ---------------------------------------------------
>
> Key: MNG-7441
> URL: https://issues.apache.org/jira/browse/MNG-7441
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.8.5
> Reporter: Mac Hale
> Assignee: Tamás Cservenák
> Priority: Major
> Fix For: 3.8.6
>
>
> [CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present in Logback versions 1.2.7 and earlier. Maven uses v 1.2.1. Please update to Logback 1.2.9, which includes a fix as per [https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].]
> I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a version specified in {{./maven-embedder/pom.xml}}
> But I'm no expert on this code base so it's possible there are other versioned references.
> Edit: One could argue, as the Logback team has done, that the CVE is unimportant since in order to exploit it one must already have compromised the system. However, security scanners pick this up as an issue, causing unnecessary work and justifications.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)