Hi Arjohn, I would consider logback version 1.2.9 a security fix. -- Ceki Gülcü Please contact suppport(at)qos.ch for donations, sponsorship or support contracts related to SLF4J or logback projects. On 17/12/2021 10:00, Arjohn Kampman wrote:
Hi,
First of all: thank you for looking into the vulnerabilities related to the log4j news. The announcement about the 1.2.9 release is a bit light on details in how it differs from the 1.2.8 release. I thought the 1.2.8 disabled all the critical bits, which makes it safe to use again, but the news article indicates that any version prior to 1.2.9 (including 1.2.8) is vulnerable. So does this mean that 1.2.9 fixes yet more security issues, or is this more about re-enabling some things that have been disabled in 1.2.8?
Regards,
Arjohn Kampman
_______________________________________________