[
https://issues.apache.org/jira/browse/ROCKETMQ-370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16370796#comment-16370796
]
ASF GitHub Bot commented on ROCKETMQ-370:
-----------------------------------------
fredsjones opened a new pull request #228: [ROCKETMQ-370] Upgrade logback to
version 1.2.3
URL: https://github.com/apache/rocketmq/pull/228
## What is the purpose of the change
Upgrade the version of logback-classic and logback-core
## Brief changelog
logback in the pom.xml has been updated to 1.2.3
## Verifying this change
Follow this checklist to help us incorporate your contribution quickly and
easily:
- [x] Make sure there is a [JIRA
issue](https://issues.apache.org/jira/projects/ROCKETMQ/issues/) filed for the
change (usually before you start working on it). Trivial changes like typos do
not require a JIRA issue. Your pull request should address just this issue,
without pulling in other changes - one PR resolves one issue.
- [x] Format the pull request title like `[ROCKETMQ-XXX] Fix
UnknownException when host config not exist`. Each commit in the pull request
should have a meaningful subject line and body.
- [x] Write a pull request description that is detailed enough to understand
what the pull request does, how, and why.
- [ ] Write necessary unit-test to verify your logic correction, more mock a
little better when cross module dependency exist. If the new feature or
significant change is committed, please remember to add integration-test in
[test module](https://github.com/apache/rocketmq/tree/master/test).
- [x] Run `mvn -B clean apache-rat:check findbugs:findbugs
checkstyle:checkstyle` to make sure basic checks pass. Run `mvn clean install
-DskipITs` to make sure unit-test pass. Run `mvn clean test-compile
failsafe:integration-test` to make sure integration-test pass.
- [ ] If this contribution is large, please file an [Apache Individual
Contributor License Agreement](http://www.apache.org/licenses/#clas).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Currently used version of logback contains a security vulnerability
> -------------------------------------------------------------------
>
> Key: ROCKETMQ-370
> URL: https://issues.apache.org/jira/browse/ROCKETMQ-370
> Project: Apache RocketMQ
> Issue Type: Improvement
> Reporter: Fred Jones
> Assignee: vongosling
> Priority: Minor
>
> In our exploration of your project we found that it is currently using
> version 1.0.13 of logback which is vulnerable to Arbitrary Code Execution. A
> configuration can be turned on to allow remote logging through interfaces
> that accept untrusted serialized data. Authenticated attackers on the
> adjacent network can exploit this vulnerability to run arbitrary code through
> the deserialization of custom gadget chains.
>
> Recommendation:
> Upgrade the version of logback in the pom.xml to version 1.2 or higher.
>
> For additional details on this vulnerability you can visit the following
> websites:
> Snyk: https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-30208
> Common Vulnerabilities and Exposures (CVE):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
