Comment From: bclozel

See https://jira.qos.ch/browse/LOGBACK-1591 and https://logback.qos.ch/news.html for background information. Also:

We note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite. Thus, in addition to upgrading to version 1.2.8, we also recommend users to set their logback configuration files as read-only.

Comment From: SpiReCZ

https://jira.qos.ch/browse/LOGBACK-1591?focusedCommentId=20920&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-20920

@snicoll I suggest re-open this ticket and update to Logback 1.2.9

Logback version 1.2.9 and 1.3.0-alpha11 have been released simultaneously. They should be considered as security fixes superseding 1.2.8.

Comment From: x80486

...and pinned issue could be unpinned as well 😉

Comment From: w6et

Latest STABLE version The latest stable logback version is 1.2.10. https://logback.qos.ch/news.html

Comment From: snicoll

@awei186 we're aware. We have a semi-automated process that upgrade dependencies that we run before a release so there's no need for this.