Runtime dependency - logback 1.2 - CVE-2023-6378 fix available about californium HOT 10 CLOSED

looks like a very specific setup, I suppose it's not that important, I'll take a look at 1.2.x code

from californium.

doesn't look s like 1.2.x is still maintained https://github.com/qos-ch/logback/commits/branch_1.2.x

The DoS patch on master: qos-ch/logback@9c782b4

The last 1.2 code of the same class: https://github.com/qos-ch/logback/blob/branch_1.2.x/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java

So 1.2 looks affected, and it's not yet patched (if they patch it at all)

from californium.

Yes, indeed. And the very most don't run on java 7 and may use newer versions.
So I don't think, that too many will be affected.
Anyway, I prefer, if we can get a statement about the 1.2. versions. Therefore I asked there via email.

from californium.

Thanks!

from californium.

The logback-download-page marks the 1.2.12 as INACTIVE.

Good reason, to start over with Californium 4.0 and drop java 7 support.

from californium.

Just as note:
logback 1.3 seems to require also a newer slf4j ;-(.

So, don't use "remote appender".

from californium.

And switching to slf4j 2.0.9 is the reported as API break by revapi ;-).

In my experience, revapi is unfortunately not too easy for investigate on that.

AFAIK, some code in scandium has used LOGGER with "protected", that could be changed in a version 4.0. What else need to be changed, needs investigation.

from californium.

FilteredLogger also exposes the Logger. That could also be changed to a String.

from californium.

PR #2197
First step to migrate slf4j with the next major Californium version.

from californium.

logback 1.2.13 was released today. It fixes the aforementioned CVE.

from californium.