SpringBoot CVEs for logback 1.2.12 in the latest version of spring boot 2.7.x (2.7.18)

Hi all,

There are 2 high CVEs for logback module (classic and core) that weren't fixed in the latest version of spring boot 2.7.x. The same CVEs got fixed in the latest version of spring boot 3.2.x. Is there any expected timeline for this vulnerabilities to be fixed in 2.7.19 version? if so, when?

Thanks

Comment From: bclozel

Hello @AliceAmos

We have no plan for another 2.7.x open source release as this generation is out of OSS support. See https://spring.io/projects/spring-boot/#support and https://spring.io/blog/2022/05/24/preparing-for-spring-boot-3-0/#consider-commercial-support