Yes, that is basically my concern. I commented at https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665
On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: > Christopher raised concern about it in > > https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 > > I suspect because SLF4j has to be major upgraded with logback 1.x -> 2.x > which should not be done in bugfix releases. > > I’m not sure. Maybe we should just add another Owasp suppression, but that > wouldn’t be appropriate either. > > Andor > > > > > On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> wrote: > > > > That’s my understanding too, but looks like folks skipped even the 3.9 > backport in the case of logback. > > > > Andor > > > > > > > >> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> wrote: > >> > >> My understanding, I thought the rule was to backport any patch to all of > >> the active releases unless it's a new feature. Perhaps ask the folks who > >> committed? > >> > >> Patrick > >> > >> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> wrote: > >> > >>> Hi folks, > >>> > >>> Currently I’m working on some backports, because OWASP reports CVEs on > the > >>> 3.8 branch and noticed in the PRs that we should only upgrade logback > on > >>> the master branch. Why is that? > >>> > >>> logback-core-1.2.13.jar (pkg:maven/ch.qos.logback/logback-core@1.2.13, > >>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, > CVE-2024-12801 > >>> > >>> Regards, > >>> Andor > >>> > >>> > >>> > > > >
