Yeah, I agree with that, but we can’t leave things here just like that. Either we should keep updating the logging libraries on all active branches or add the necessary suppression to Owasp. Otherwise the report result will be completely meaningless.
Andor > On Aug 4, 2025, at 08:21, Christopher <[email protected]> wrote: > > Yes, that is basically my concern. I commented at > https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 > > On Fri, Aug 1, 2025, 18:43 Andor Molnar <[email protected]> wrote: > >> Christopher raised concern about it in >> >> https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 >> >> I suspect because SLF4j has to be major upgraded with logback 1.x -> 2.x >> which should not be done in bugfix releases. >> >> I’m not sure. Maybe we should just add another Owasp suppression, but that >> wouldn’t be appropriate either. >> >> Andor >> >> >> >>> On Jul 30, 2025, at 18:39, Andor Molnar <[email protected]> wrote: >>> >>> That’s my understanding too, but looks like folks skipped even the 3.9 >> backport in the case of logback. >>> >>> Andor >>> >>> >>> >>>> On Jul 30, 2025, at 16:36, Patrick Hunt <[email protected]> wrote: >>>> >>>> My understanding, I thought the rule was to backport any patch to all of >>>> the active releases unless it's a new feature. Perhaps ask the folks who >>>> committed? >>>> >>>> Patrick >>>> >>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <[email protected]> wrote: >>>> >>>>> Hi folks, >>>>> >>>>> Currently I’m working on some backports, because OWASP reports CVEs on >> the >>>>> 3.8 branch and noticed in the PRs that we should only upgrade logback >> on >>>>> the master branch. Why is that? >>>>> >>>>> logback-core-1.2.13.jar (pkg:maven/ch.qos.logback/[email protected], >>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, >> CVE-2024-12801 >>>>> >>>>> Regards, >>>>> Andor >>>>> >>>>> >>>>> >>> >> >>
