That’s my understanding too, but looks like folks skipped even the 3.9 backport in the case of logback.
Andor > On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> wrote: > > My understanding, I thought the rule was to backport any patch to all of > the active releases unless it's a new feature. Perhaps ask the folks who > committed? > > Patrick > > On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> wrote: > >> Hi folks, >> >> Currently I’m working on some backports, because OWASP reports CVEs on the >> 3.8 branch and noticed in the PRs that we should only upgrade logback on >> the master branch. Why is that? >> >> logback-core-1.2.13.jar (pkg:maven/ch.qos.logback/logback-core@1.2.13, >> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, CVE-2024-12801 >> >> Regards, >> Andor >> >> >>
