dependabot[bot] opened a new pull request, #6560:
URL: https://github.com/apache/incubator-kie-drools/pull/6560
Bumps [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) from
1.5.20 to 1.5.25.
Release notes
Sourced from https://github.com/qos-ch/logback/releases";>ch.qos.logback:logback-core's
releases.
Logback 1.5.25
2026-01-17 Release of logback version 1.5.25
• When processing configuration files, logback-core will now only
instantiate components compatible with the class expected by the encapsulating
class. This fixes an ACE vulnerability recorded as https://www.cve.org/cverecord?id=CVE-2026-1225";>CVE-2026-1225.
• In configuration files, referencing a single undeclared appender would
cause all referenced appenders to be skipped. This issue was discovered in https://redirect.github.com/qos-ch/logback/issues/997";>issues/997.
• Added VersionUtil class to logback-core. This utility class checks for
version compatibility issues and alerts the user if need be.
• Added https://logback.qos.ch/manual/layouts.html#epoch";>EpochConverter to
output milliseconds/seconds since epoch. This enhancement was requested by
Duncan Jauncey in https://redirect.github.com/qos-ch/logback/pull/1000";>issues/1000 who
also provided the relevant implementation PR.
• A bit-wise identical binary of this version can be reproduced by
building from source code at commit f426e0002800cfb507f393fcacffe0761a425220
associated with the tag v_1.5.25. Release built using Java "21"
2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.
Logback 1.5.24
2026-01-06 Release of logback version 1.5.24
• Added ExpressionPropertyCondition a PropertyCondition that can evaluate
boolean expressions similar to Java. See https://logback.qos.ch/manual/configuration.html#conditionalExp";>the
relevant documentation for further details.
• A bit-wise identical binary of this version can be reproduced by
building from source code at commit 62bc5fc245dd3a52f3dd45e232733f4cefb4806d
associated with the tag v_1.5.24. Release built using Java "21"
2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.
Logback 1.5.23
2025-12-21 Release of logback version 1.5.23
• In response to https://redirect.github.com/qos-ch/logback/issues/959";>issues/959
file name collisions are detected at configuration time by analyzing the
configuration file and no longer at run time. This avoids the
ConcurrentModificationException reported in the issue.
• ZIP and XZ compression now use a BufferedOutputStream when
writing to the compressed file. This issue was reported in https://redirect.github.com/qos-ch/logback/issues/988";>issues/988.
• A bit-wise identical binary of this version can be reproduced by
building from source code at commit 0bcc3feb54a6d99caac70969ee5f8334aad1fbaf
associated with the tag v_1.5.23. Release built using Java "21"
2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.
Logback 1.5.22
2025-12-11 Release of logback version 1.5.22
• In order to prevent involuntary information leakage, Logback will no
longer output the value of a substituted variable, if the variable name
contains any of the case-insensitive strings "password",
"secret" or "confidential". This problem was reported by
Chintan Rohila in https://redirect.github.com/qos-ch/logback/issues/986";>issues/986.
• Logback now takes the overridden toString() method of
Throwable subclasses into account when printing stack traces.
This issue was reported in https://jira.qos.ch/browse/LOGBACK-543";>LOGBACK-543 by Alvin Chee,
with a fix provided in https://redirect.github.com/qos-ch/logback/pull/404";>PR 404 by Brett
Kail.
• Instead of limit-counting guard, Logback now uses a tumbling-window
guard to rate limit internal error messages.
• A bit-wise identical binary of this version can be reproduced by
building from source code at commit 572379aabd2f672b49593e4020696c624541e5b0
associated with the tag v_1.5.22. Release built using Java "21"
2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.
Logback 1.5.21
2025-11-10 Release of logback version 1.5.21
• Invocations of turbo filters in isDebugEnabled, isInfoEnabled()...
remain as they were, untouched. However, any installed instances of TurboFilter
are now invoked also from within the log(LoggingEvent) method of https://github.com/qos-ch/logback/blob/master/logback-classic/src/main/java/ch/qos/logback/classic/Logger.java#L817";>Logger
with the contents of the LoggingEvent, typically via the fluent API. This
fixes https://redirect.github.com/qos-ch/logback/issues/871";>issues/871.
• Removed reentry-guard in most subclasses of
UnsynchronizedAppenderBase where it was not needed.
• https://logback.qos.ch/manual/configuration.html#auto_configuration";>Initialization
procedure has been simplified by removing the step instantiating a
SerializedModelConfigurator. However, it is still p
