== Includes security fixes ====
Hello all, In the wake of CVE-2021-44228, a serialization related vulnerability has been reported which affects logback. In response to this vulnerability we have disabled all JNDI lookup code in logback until further notice. This impacts ContextJNDISelector and <insertFromJNDI> element in configuration files. We have also removed all database (JDBC) related code in the project with no replacement. We note that the vulnerability mentioned in LOGBACK-1591 [1] requires write access to logback's configuration file as a prerequisite. An demo of the vulnerability can be found at [2]. We urge you to upgrade to logback 1.2.8 as soon as possible. A release on the 1.3.x branch will follow shorty. As an additional precautionary measure, we also recommend users to set their configuration files as read-only. Best regards, [1] https://jira.qos.ch/browse/LOGBACK-1591 [2] https://github.com/cn-panda/logbackRceDemo -- Ceki Gülcü Please contact sales(at)qos.ch for support related to SLF4J or logback projects. _______________________________________________ logback-dev mailing list logback-dev@qos.ch http://mailman.qos.ch/mailman/listinfo/logback-dev