Yeah, I agree with that, but we can’t leave things here just like that. Either we should keep updating the logging libraries on all active branches or add the necessary suppression to Owasp. Otherwise the report result will be completely meaningless.
Andor > On Aug 4, 2025, at 08:21, Christopher <ctubb...@apache.org> wrote: > > Yes, that is basically my concern. I commented at > https://github.com/apache/zookeeper/pull/2290#issuecomment-3145955665 > > On Fri, Aug 1, 2025, 18:43 Andor Molnar <an...@apache.org> wrote: > >> Christopher raised concern about it in >> >> https://github.com/apache/zookeeper/pull/2162#pullrequestreview-2037135095 >> >> I suspect because SLF4j has to be major upgraded with logback 1.x -> 2.x >> which should not be done in bugfix releases. >> >> I’m not sure. Maybe we should just add another Owasp suppression, but that >> wouldn’t be appropriate either. >> >> Andor >> >> >> >>> On Jul 30, 2025, at 18:39, Andor Molnar <an...@apache.org> wrote: >>> >>> That’s my understanding too, but looks like folks skipped even the 3.9 >> backport in the case of logback. >>> >>> Andor >>> >>> >>> >>>> On Jul 30, 2025, at 16:36, Patrick Hunt <ph...@apache.org> wrote: >>>> >>>> My understanding, I thought the rule was to backport any patch to all of >>>> the active releases unless it's a new feature. Perhaps ask the folks who >>>> committed? >>>> >>>> Patrick >>>> >>>> On Wed, Jul 30, 2025 at 2:06 PM Andor Molnar <an...@apache.org> wrote: >>>> >>>>> Hi folks, >>>>> >>>>> Currently I’m working on some backports, because OWASP reports CVEs on >> the >>>>> 3.8 branch and noticed in the PRs that we should only upgrade logback >> on >>>>> the master branch. Why is that? >>>>> >>>>> logback-core-1.2.13.jar (pkg:maven/ch.qos.logback/logback-core@1.2.13, >>>>> cpe:2.3:a:qos:logback:1.2.13:*:*:*:*:*:*:*) : CVE-2024-12798, >> CVE-2024-12801 >>>>> >>>>> Regards, >>>>> Andor >>>>> >>>>> >>>>> >>> >> >>
