Christopher raised concern about it in https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095
I suspect because SLF4j has to be major upgraded with logback 1.x -> 2.x which should not be done in bugfix releases. I’m not sure. Maybe we should just add another Owasp suppression, but that wouldn’t be appropriate either. Andor > On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> wrote: > > That’s my understanding too, but looks like folks skipped even the 3.9 > backport in the case of logback. > > Andor > > > >> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> wrote: >> >> My understanding, I thought the rule was to backport any patch to all of >> the active releases unless it's a new feature. Perhaps ask the folks who >> committed? >> >> Patrick >> >> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> wrote: >> >>> Hi folks, >>> >>> Currently I’m working on some backports, because OWASP reports CVEs on the >>> 3.8 branch and noticed in the PRs that we should only upgrade logback on >>> the master branch. Why is that? >>> >>> logback-core-1.2.13.jar (pkg:maven/ch.qos.logback/logback-core@1.2.13, >>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, CVE-2024-12801 >>> >>> Regards, >>> Andor >>> >>> >>> >
