Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package logback for openSUSE:Factory checked in at 2022-04-28 23:08:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/logback (Old) and /work/SRC/openSUSE:Factory/.logback.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "logback" Thu Apr 28 23:08:12 2022 rev:6 rq:973671 version:1.2.11 Changes: -------- --- /work/SRC/openSUSE:Factory/logback/logback.changes 2022-02-23 19:07:11.607289901 +0100 +++ /work/SRC/openSUSE:Factory/.logback.new.1538/logback.changes 2022-04-28 23:08:17.940707822 +0200 @@ -1,0 +2,34 @@ +Thu Apr 28 04:54:39 UTC 2022 - Fridrich Strba <[email protected]> + +- Upgrade to upstream version 1.2.11 + * Backported fix for LOGBACK-1027. + * Fixed incorrect String cast in JNDIUtil. This corrects + LOGBACK-1604. + * In SMTPAppenderBase empty username parameter is now treated the + same way as null. This fixes LOGBACK-1594. + * ContextInitializer no longer complains about missing + logback.groovy configuration file. This fixes LOGBACK-1601. + * In response to CVE-2021-42550 (aka LOGBACK-1591) the following + steps were made: + 1) Hardened logback's JNDI lookup mechanism to only honor + requests in the java: namespace. All other types of requests + are ignored. + 2) SMTPAppender was hardened. + 3) Temporarily removed DB support for security reasons. + 4) Removed Groovy configuration support. As logging is so + pervasive and configuration with Groovy is probably too + powerful, this feature is unlikely to be reinstated for + security reasons. + The aforementioned vulnerability requires write access to + logback's configuration file as a prerequisite. A successul + RCE attack with CVE-2021-42550 requires all of the following + conditions to be met: + + write access to logback.xml + + use of versions < 1.2.9 + + reloading of poisoned configuration data, which implies + application restart or scan="true" set prior to attack +- Set project.build.sourceEncoding property to ISO-8859-1 to + avoid the new maven-resources-plugin chocking on trying to filter + in UTF-8 encoding JKS (binary) resources + +------------------------------------------------------------------- Old: ---- logback-1.2.8.tar.xz New: ---- logback-1.2.11.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ logback.spec ++++++ --- /var/tmp/diff_new_pack.tm6Uu8/_old 2022-04-28 23:08:18.528708370 +0200 +++ /var/tmp/diff_new_pack.tm6Uu8/_new 2022-04-28 23:08:18.532708374 +0200 @@ -17,7 +17,7 @@ Name: logback -Version: 1.2.8 +Version: 1.2.11 Release: 0 Summary: A Java logging library License: EPL-1.0 OR LGPL-2.1-or-later @@ -37,15 +37,12 @@ BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) BuildRequires: mvn(org.apache.tomcat:tomcat-catalina) BuildRequires: mvn(org.apache.tomcat:tomcat-coyote) -BuildRequires: mvn(org.codehaus.gmavenplus:gmavenplus-plugin) -BuildRequires: mvn(org.codehaus.groovy:groovy-all) BuildRequires: mvn(org.codehaus.janino:janino) BuildRequires: mvn(org.eclipse.jetty:jetty-server) BuildRequires: mvn(org.eclipse.jetty:jetty-util) BuildRequires: mvn(org.fusesource.jansi:jansi) BuildRequires: mvn(org.slf4j:slf4j-api) BuildRequires: mvn(org.slf4j:slf4j-ext) -#!BuildRequires: groovy-lib BuildArch: noarch %description @@ -108,13 +105,9 @@ # com.oracle:ojdbc14:10.2.0.1 com.microsoft.sqlserver:sqljdbc4:2.0 %pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'host-orion']" %{name}-access -%pom_xpath_remove "pom:project/pom:profiles" %{name}-classic %pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'javadocjar']" -%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'generateTestStubs']" logback-classic -%pom_xpath_remove "pom:executions/pom:execution/pom:goals/pom:goal[text() = 'compileTests']" logback-classic - # disable for now %pom_disable_module logback-site @@ -125,14 +118,11 @@ %build -# unavailable test dep maven-scala-plugin -# slf4jJAR and org.apache.felix.main are required by logback-examples modules for maven-antrun-plugin %{mvn_build} -f -- \ %if %{?pkg_vcmp:%pkg_vcmp java-devel >= 9}%{!?pkg_vcmp:0} -Dmaven.compiler.release=8 \ %endif - -Dorg.slf4j:slf4j-api:jar=$(build-classpath slf4j/api) \ - -Dorg.apache.felix:org.apache.felix.main:jar=$(build-classpath felix/org.apache.felix.main) + -Dsource=8 -Dproject.build.sourceEncoding=ISO-8859-1 %install %mvn_install ++++++ _service ++++++ --- /var/tmp/diff_new_pack.tm6Uu8/_old 2022-04-28 23:08:18.560708400 +0200 +++ /var/tmp/diff_new_pack.tm6Uu8/_new 2022-04-28 23:08:18.564708403 +0200 @@ -2,8 +2,10 @@ <service name="tar_scm" mode="disabled"> <param name="scm">git</param> <param name="url">https://github.com/qos-ch/logback.git</param> - <param name="revision">v_1.2.8</param> - <param name="versionformat">1.2.8</param> + <param name="revision">v_1.2.11</param> + <param name="match-tag">v_*</param> + <param name="versionformat">@PARENT_TAG@</param> + <param name="versionrewrite-pattern">v_(.*)</param> <param name="filename">logback</param> <param name="exclude">logback-access/lib</param> </service> ++++++ logback-1.2.8.tar.xz -> logback-1.2.11.tar.xz ++++++ ++++ 3536 lines of diff (skipped)
