Changelog for
logback-1.2.11-150200.3.7.3.noarch.rpm :
* Thu Apr 28 2022 fstrbaAATTsuse.com- Upgrade to upstream version 1.2.11
* Backported fix for LOGBACK-1027.
* Fixed incorrect String cast in JNDIUtil. This corrects LOGBACK-1604.
* In SMTPAppenderBase empty username parameter is now treated the same way as null. This fixes LOGBACK-1594.
* ContextInitializer no longer complains about missing logback.groovy configuration file. This fixes LOGBACK-1601.
* In response to CVE-2021-42550 (aka LOGBACK-1591) the following steps were made: 1) Hardened logback\'s JNDI lookup mechanism to only honor requests in the java: namespace. All other types of requests are ignored. 2) SMTPAppender was hardened. 3) Temporarily removed DB support for security reasons. 4) Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too powerful, this feature is unlikely to be reinstated for security reasons. The aforementioned vulnerability requires write access to logback\'s configuration file as a prerequisite. A successul RCE attack with CVE-2021-42550 requires all of the following conditions to be met: + write access to logback.xml + use of versions < 1.2.9 + reloading of poisoned configuration data, which implies application restart or scan=\"true\" set prior to attack- Set project.build.sourceEncoding property to ISO-8859-1 to avoid the new maven-resources-plugin chocking on trying to filter in UTF-8 encoding JKS (binary) resources
* Tue Feb 22 2022 fstrbaAATTsuse.com- Do not build against the log4j12 packages
* Fri Dec 17 2021 fstrbaAATTsuse.com- Do not execute goals generateTestStubs and compileTests of gmavenplus-plugin, since we are not compiling or runnig tests during the rpm build. This also allows us to use a wider range of gmavenplus-plugin versions, since those executions changed names in 1.6.
* Thu Dec 16 2021 fstrbaAATTsuse.com- Upgrade to version 1.2.8 (bsc#1193795)
* Changes of version 1.2.8 + In response to LOGBACK-1591, all JNDI lookup code in logback has been disabled until further notice. This impacts ContextJNDISelector and
element in configuration files. + Also in response to LOGBACK-1591, all database (JDBC) related code in the project has been removed with no replacement. + Note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback\'s configuration file as a prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591 are of different severity levels. A successful RCE requires all of the following conditions to be met: - write access to logback.xml - use of versions < 1.2.8 - reloading of poisoned configuration data, which implies application restart or scan=\"true\" set prior to attack + As an additional extra precaution, in addition to upgrading to logback version 1.2.8, the users are advised to set their logback configuration files as read-only.
* Changes of version 1.2.7 + Added hostnameVerification to property SSLSocketAppender. This fixes LOGBACK-1574.
* Changes of version 1.2.6 + To prevent XML eXternal Entity injection (XXE) attacks, Joran no longer reads external entities passed in XML files. This fixes LOGBACK-1465.
* Changes of version 1.2.5 + Instead of an Appender, the LayoutWrappingEncoder now accepts a variable of type ContextAware as a parent. This fixes LOGBACK-1326.
* Changes of version 1.2.4 + Added support for minimum length in %i filename pattern. This fixes LOGBACK-1248. + For size bound log file archiving, allow TimeBasedArchiveRemove to remove files with indexes containing upto 5 digits. This fixes LOGBACK-1175. + Added %prefix composite converter which automatically prefixes child converter output with the name of the converter. This feature is quite handy in environments where log files need to be parsed and monitored.- Changed patch:
* logback-1.1.11-jetty.patch -> logback-1.2.8-jetty.patch + Rediff to changed context
* Fri Nov 29 2019 fstrbaAATTsuse.com- Do not force building with java < 9- Specify maven.compiler.release=8 to access the java.util.function.Supplier API, introduced in java 8- Added patch:
* logback-1.2.3-getCallerClass.patch + Access the sun.reflect.Reflection.getCallerClass by reflection, in order to be able to build with jdk >= 9
* Sun Nov 17 2019 fstrbaAATTsuse.com- Initial packaging of logback 1.2.3