David Handermann created NIFI-12462:
---------------------------------------
Summary: Upgrade Logback to 1.3.14
Key: NIFI-12462
URL: https://issues.apache.org/jira/browse/NIFI-12462
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Reporter: David Handermann
Assignee: David Handermann
Fix For: 1.25.0, 2.0.0
Logback 1.3.13 resolved a potential denial of service attack for custom
socket-based Logback appenders, which are not used in any default NiFi
component configurations. The vulnerability was published as CVE-2023-6378.
Logback 1.3.14 includes additional improvements to the resolution, so Logback
published the same vulnerability as CVE-2023-648, marking version 1.3.13 as
vulnerable to encourage users to upgrade to the latest version.
Although current NiFi versions do not use socket-based Logback appenders,
Logback should be upgraded to the latest version on current and support
branches.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
