Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-10431

Bump logback to 1.2.9 (test dependency)

    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 4.0.0-rc-2
    • None
    • None

    Description

      Groovy doesn't bundle a version of Logback in its distribution nor list it as a dependency in its pom (or bom), so isn't directly affected by CVE-2021-42550. Folks using logback directly may wish to upgrade their version or follow the advice in the links.

      Note that Logback 1.2.9 disables Groovy configuration support for being "too powerful". Users relying on that feature may wish to stay using Logback 1.2.8 but please ensure your configuration files have appropriate file system protections.

      See also:
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42550
      https://jira.qos.ch/browse/LOGBACK-1591

      Attachments

        Activity

          People

            paulk Paul King
            paulk Paul King
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: