Greetings to all,
I am happy to announce the release of logback version 1.5.19.
This release fixes CVE-11226, an ACE vulnerability made possible by
malicious XML configuration files. A successful attack requires both
Janino and Spring Framework to be present on the class path in
addition to the ability to corrupt logback XML configuration files.
Logback 1.5.x series is a direct descendant of and a drop-in
replacement for the 1.4.x series. It differs from the 1.4.x series by
the relocation of the logback-access module which was moved to its own
separate github repository.
Logback-tyler (Java-only configurator):
Logback-tyler translates logback-classic XML configuration files
(logback.xml) into Java. The resulting Java class, namely
TylerConfigurator, can be used to configure logback.
For more documentation see the logback-tyler repository:
https://github.com/qos-ch/logback-tyler/
Reproducible builds:
Recent logback releases are reproducible. This means that anyone
checking out the code corresponding to the release version from github
and building that local copy, will get obtain an identical binary to
the binary found on Maven central.
Donations and sponsorship
You can also support SLF4J/logback/reload4j projects via
donations and sponsorship. We thank our current supporters and
sponsors for their continued contributions.
Sponsorship link: https://github.com/sponsors/qos-ch
Announcement mailing list:
You can receive SLF4J/logback/reload4j related announcements by
subscribing QOS.ch announce list, please visit the following URL.
https://mailman3.qos.ch/postorius/lists/announce.qos.ch/
Enjoy,
--
Ceki Gülcü
_______________________________________________
logback-dev mailing list -- [email protected]
To unsubscribe send an email to [email protected]
%(web_page_url)slistinfo/%(_internal_name)s
