You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by li...@apache.org on 2022/06/18 13:53:39 UTC

[dolphinscheduler] 02/16: issue-10356: upgrade logback to fix cve (#10357)

This is an automated email from the ASF dual-hosted git repository.

liudongkai pushed a commit to branch 3.0.0-beta-2-prepare
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git

commit 67f6c003f724632619ff0c98341b111ca80eca1a
Author: PJ Fanning <pj...@users.noreply.github.com>
AuthorDate: Fri Jun 3 12:21:40 2022 +0100

    issue-10356: upgrade logback to fix cve (#10357)
    
    (cherry picked from commit d044e0479deb88c694973d0e0c51d8b7cbcfac06)
---
 dolphinscheduler-dist/release-docs/LICENSE | 4 ++--
 pom.xml                                    | 2 +-
 tools/dependencies/known-dependencies.txt  | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/dolphinscheduler-dist/release-docs/LICENSE b/dolphinscheduler-dist/release-docs/LICENSE
index 0dd740217a..ff489f4c7e 100644
--- a/dolphinscheduler-dist/release-docs/LICENSE
+++ b/dolphinscheduler-dist/release-docs/LICENSE
@@ -506,8 +506,8 @@ EPL licenses
 The following components are provided under the EPL License. See project link for details.
 The text of each license is also included at licenses/LICENSE-[project].txt.
     aspectjweaver 1.9.7:https://mvnrepository.com/artifact/org.aspectj/aspectjweaver/1.9.7, EPL 1.0
-    logback-classic 1.2.3: https://mvnrepository.com/artifact/ch.qos.logback/logback-classic/1.2.3, EPL 1.0 and LGPL 2.1
-    logback-core 1.2.3: https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.3, EPL 1.0 and LGPL 2.1
+    logback-classic 1.2.11: https://mvnrepository.com/artifact/ch.qos.logback/logback-classic/1.2.11, EPL 1.0 and LGPL 2.1
+    logback-core 1.2.11: https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.11, EPL 1.0 and LGPL 2.1
     h2-1.4.200 https://github.com/h2database/h2database/blob/master/LICENSE.txt, MPL 2.0 or EPL 1.0
 
 ========================================================================
diff --git a/pom.xml b/pom.xml
index ada4533989..c0ef327c74 100644
--- a/pom.xml
+++ b/pom.xml
@@ -55,7 +55,7 @@
         <spring.version>5.3.12</spring.version>
         <spring.boot.version>2.5.6</spring.boot.version>
         <java.version>1.8</java.version>
-        <logback.version>1.2.3</logback.version>
+        <logback.version>1.2.11</logback.version>
         <hadoop.version>2.7.3</hadoop.version>
         <quartz.version>2.3.2</quartz.version>
         <jackson.version>2.10.5</jackson.version>
diff --git a/tools/dependencies/known-dependencies.txt b/tools/dependencies/known-dependencies.txt
index b89bc00d84..8262bc32c8 100755
--- a/tools/dependencies/known-dependencies.txt
+++ b/tools/dependencies/known-dependencies.txt
@@ -151,8 +151,8 @@ libfb303-0.9.3.jar
 libthrift-0.9.3.jar
 log4j-1.2-api-2.14.1.jar
 log4j-1.2.17.jar
-logback-classic-1.2.3.jar
-logback-core-1.2.3.jar
+logback-classic-1.2.11.jar
+logback-core-1.2.11.jar
 lz4-1.3.0.jar
 mapstruct-1.2.0.Final.jar
 micrometer-core-1.7.5.jar