Differences between logback 1.2.8 and 1.2.9
Hi, First of all: thank you for looking into the vulnerabilities related to the log4j news. The announcement about the 1.2.9 release is a bit light on details in how it differs from the 1.2.8 release. I thought the 1.2.8 disabled all the critical bits, which makes it safe to use again, but the news article indicates that any version prior to 1.2.9 (including 1.2.8) is vulnerable. So does this mean that 1.2.9 fixes yet more security issues, or is this more about re-enabling some things that have been disabled in 1.2.8? Regards, Arjohn Kampman
Hi Arjohn, I would consider logback version 1.2.9 a security fix. -- Ceki Gülcü Please contact suppport(at)qos.ch for donations, sponsorship or support contracts related to SLF4J or logback projects. On 17/12/2021 10:00, Arjohn Kampman wrote:
Hi,
First of all: thank you for looking into the vulnerabilities related to the log4j news. The announcement about the 1.2.9 release is a bit light on details in how it differs from the 1.2.8 release. I thought the 1.2.8 disabled all the critical bits, which makes it safe to use again, but the news article indicates that any version prior to 1.2.9 (including 1.2.8) is vulnerable. So does this mean that 1.2.9 fixes yet more security issues, or is this more about re-enabling some things that have been disabled in 1.2.8?
Regards,
Arjohn Kampman
_______________________________________________
Hi Ceki, I'm trying to assess if the update which has been sent to customers, and which includes 1.2.8, is safe to use, or if they will need another update. It's quite a bit of work to do this, so I would appreciate it a lot if you could give some more insight. Which risks remain if the customer stick to logback 1.28? On 17/12/2021 10:08, Ceki Gülcü wrote:
Hi Arjohn,
I would consider logback version 1.2.9 a security fix.
Hello Arjohn, I apologize for the inconvenience. Do upgrade. -- Ceki Gülcü Please contact suppport(at)qos.ch for donations, sponsorship or support contracts related to SLF4J or logback projects. On 17/12/2021 10:29, Arjohn Kampman wrote:
Hi Ceki,
I'm trying to assess if the update which has been sent to customers, and which includes 1.2.8, is safe to use, or if they will need another update. It's quite a bit of work to do this, so I would appreciate it a lot if you could give some more insight. Which risks remain if the customer stick to logback 1.28?
On 17/12/2021 10:08, Ceki Gülcü wrote:
Hi Arjohn,
I would consider logback version 1.2.9 a security fix.
Hi again, I should also say that while the threat characteristics between log4shell and CVE-2021-42550 affecting logback are significantly different, it is not our place to estimate each use case and deployment configuration. As logback maintainers, we must assume the worst case. Best regards, -- Ceki Gülcü Please contact suppport(at)qos.ch for donations, sponsorship or support contracts related to SLF4J or logback projects. On 17/12/2021 10:29, Arjohn Kampman wrote:
Hi Ceki,
I'm trying to assess if the update which has been sent to customers, and which includes 1.2.8, is safe to use, or if they will need another update. It's quite a bit of work to do this, so I would appreciate it a lot if you could give some more insight. Which risks remain if the customer stick to logback 1.28?
On 17/12/2021 10:08, Ceki Gülcü wrote:
Hi Arjohn,
I would consider logback version 1.2.9 a security fix.
participants (2)
-
Arjohn Kampman -
Ceki Gülcü