Upgrade to Logback 1.5.13.
Comment From: snicoll
Unfortunately this seems to have broken us, I've raised https://github.com/qos-ch/logback/issues/885
Comment From: edigu
Can confirm that 1.5.14 works as intended.
Comment From: lzysuqianqiu
1.5.15 is out
Comment From: ali-hamza-noor
@snicoll can I raise a PR for this?
Comment From: philwebb
There's no need thanks @ali-hamza-noor, we have an automated process.
Comment From: xalvarez
Hello, I wanted to bring to your attention that logback-core versions < 1.5.13 are affected by the following security vulnerabilities:
- https://github.com/advisories/GHSA-pr98-23f8-jwxv
- https://github.com/advisories/GHSA-6v67-2wr5-gvf4
Could we expect a new version of Spring Boot that includes the patched logback-core dependency to be released soon?
Comment From: wilkinsona
The next round of Spring Boot releases is on 23 January. In the meantime, you can manually upgrade to a version of Logback that meets your needs using the logback.version property. You may also want to consider the likelihood of being affected by either vulnerability. Both appear to require an attacker to be able to set an environment variable or to modify a Logback configuration file. If either of those are possible, you likely have bigger problems.
Comment From: lzysuqianqiu
1.5.16 is out