My understanding, I thought the rule was to backport any patch to all of the active releases unless it's a new feature. Perhaps ask the folks who committed?
Patrick On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> wrote: > Hi folks, > > Currently I’m working on some backports, because OWASP reports CVEs on the > 3.8 branch and noticed in the PRs that we should only upgrade logback on > the master branch. Why is that? > > logback-core-1.2.13.jar (pkg:maven/ch.qos.logback/logback-core@1.2.13, > cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, CVE-2024-12801 > > Regards, > Andor > > >
