SLF4J / SLF4J-455 [Resolved] Missing 1.8.0 stable build, no CVEs patches... beta-2 not complete... ============================== Here's what changed in this issue in the last few minutes. There are 2 comments. View or comment on issue using this link https://jira.qos.ch/browse/SLF4J-455 ============================== 2 comments ------------------------------ Neustradamus on 13/Jan/22 9:09 PM @ceki: I know that 1.8-beta is now 2.0-alpha. CVE-2018-8088 has been fixed in 1.7.26 and 1.8.0-beta4 after my requests by e-mail, JIRA, and Twitter. But in the CVE-2018-8088 it is noted solved in 1.8.0-beta2 but it is NOT TRUE IT IS IN 1.8.0-beta4 and it has been solved in stable branch in 1.7.26, it is not specified: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088 - https://www.google.com/search?q=CVE-2018-8088 There is a problem in description of the CVE-2018-8088: ``` org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. ``` Time to request the update with reality the JIRA ticket number 455 and the CVE: - 1.8.0-beta4 - 1.7.26 JIRA: - https://jira.qos.ch/browse/SLF4J-455 - http://mailman.qos.ch/pipermail/slf4j-dev/2019-February/005118.html Your tickets about CVE but it has been solved in 1.8.0-beta4: https://www.slf4j.org/news.html There was not a 1.8.0-beta3! - Currently it is specified 1.8.0-beta3: https://jira.qos.ch/browse/SLF4J-430 - Currently it is specified 1.8.0-beta2: https://jira.qos.ch/browse/SLF4J-431 Mail: - http://mailman.qos.ch/pipermail/slf4j-user/2019-February/001700.html - http://mailman.qos.ch/pipermail/slf4j-dev/2019-February/005115.html Twitter: - https://twitter.com/neustradamus/status/1095041579780374529 - https://twitter.com/neustradamus/status/1098724924607393794 - https://twitter.com/neustradamus/status/1098725012494635008 - https://twitter.com/neustradamus/status/1411324627582963722 ------------------------------ Ceki Gülcü on 13/Jan/22 9:12 PM The issue has been solved in all live branches. What do you want to be done at this time? ============================== This message was sent by Atlassian Jira (v8.8.0#808000-sha1:e2c7e59)