Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package logback for openSUSE:Factory checked in at 2021-12-16 21:19:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/logback (Old) and /work/SRC/openSUSE:Factory/.logback.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "logback" Thu Dec 16 21:19:49 2021 rev:3 rq:940932 version:1.2.8 Changes: -------- --- /work/SRC/openSUSE:Factory/logback/logback.changes 2021-05-15 01:24:58.162860153 +0200 +++ /work/SRC/openSUSE:Factory/.logback.new.2520/logback.changes 2021-12-16 21:21:01.590560377 +0100 @@ -1,0 +2,48 @@ +Thu Dec 16 16:21:39 UTC 2021 - Fridrich Strba <fst...@suse.com> + +- Upgrade to version 1.2.8 (bsc#1193795) + * Changes of version 1.2.8 + + In response to LOGBACK-1591, all JNDI lookup code in logback + has been disabled until further notice. This impacts + ContextJNDISelector and <insertFromJNDI> element in + configuration files. + + Also in response to LOGBACK-1591, all database (JDBC) related + code in the project has been removed with no replacement. + + Note that the vulnerability mentioned in LOGBACK-1591 requires + write access to logback's configuration file as a + prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591 + are of different severity levels. A successful RCE requires + all of the following conditions to be met: + - write access to logback.xml + - use of versions < 1.2.8 + - reloading of poisoned configuration data, which implies + application restart or scan="true" set prior to attack + + As an additional extra precaution, in addition to upgrading to + logback version 1.2.8, the users are advised to set their + logback configuration files as read-only. + * Changes of version 1.2.7 + + Added hostnameVerification to property SSLSocketAppender. + This fixes LOGBACK-1574. + * Changes of version 1.2.6 + + To prevent XML eXternal Entity injection (XXE) attacks, Joran + no longer reads external entities passed in XML files. This + fixes LOGBACK-1465. + * Changes of version 1.2.5 + + Instead of an Appender, the LayoutWrappingEncoder now accepts + a variable of type ContextAware as a parent. This fixes + LOGBACK-1326. + * Changes of version 1.2.4 + + Added support for minimum length in %i filename pattern. This + fixes LOGBACK-1248. + + For size bound log file archiving, allow + TimeBasedArchiveRemove to remove files with indexes containing + upto 5 digits. This fixes LOGBACK-1175. + + Added %prefix composite converter which automatically prefixes + child converter output with the name of the converter. This + feature is quite handy in environments where log files need to + be parsed and monitored. +- Changed patch: + * logback-1.1.11-jetty.patch -> logback-1.2.8-jetty.patch + + Rediff to changed context + +------------------------------------------------------------------- @@ -5 +53 @@ -- Specifiy maven.compiler.release=8 to access the +- Specify maven.compiler.release=8 to access the @@ -10 +58 @@ - by reflection, in order to be able to build with jdk >= 9 + reflection, in order to be able to build with jdk >= 9 Old: ---- logback-1.1.11-jetty.patch logback-1.2.3.tar.xz New: ---- logback-1.2.8-jetty.patch logback-1.2.8.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ logback.spec ++++++ --- /var/tmp/diff_new_pack.cLzhBQ/_old 2021-12-16 21:21:02.198560608 +0100 +++ /var/tmp/diff_new_pack.cLzhBQ/_new 2021-12-16 21:21:02.198560608 +0100 @@ -1,7 +1,7 @@ # # spec file for package logback # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,14 +17,14 @@ Name: logback -Version: 1.2.3 +Version: 1.2.8 Release: 0 Summary: A Java logging library -License: LGPL-2.1-or-later OR EPL-1.0 +License: EPL-1.0 OR LGPL-2.1-or-later URL: https://logback.qos.ch/ Source0: %{name}-%{version}.tar.xz # Remove deprecated methods -Patch0: %{name}-1.1.11-jetty.patch +Patch0: %{name}-1.2.8-jetty.patch Patch1: logback-1.2.3-getCallerClass.patch BuildRequires: fdupes BuildRequires: maven-local @@ -112,6 +112,21 @@ %pom_xpath_remove "pom:project/pom:profiles/pom:profile[pom:id = 'javadocjar']" +%if %{?pkg_vcmp:%pkg_vcmp gmavenplus-plugin < 1.6}%{!?pkg_vcmp:0} +%pom_remove_plugin "org.codehaus.gmavenplus:gmavenplus-plugin" logback-classic +%pom_add_plugin "org.codehaus.gmavenplus:gmavenplus-plugin:1.5" logback-classic " + <executions> + <execution> + <goals> + <goal>generateStubs</goal> + <goal>compile</goal> + <goal>testGenerateStubs</goal> + <goal>testCompile</goal> + </goals> + </execution> + </executions>" +%endif + # disable for now %pom_disable_module logback-site ++++++ _service ++++++ --- /var/tmp/diff_new_pack.cLzhBQ/_old 2021-12-16 21:21:02.238560623 +0100 +++ /var/tmp/diff_new_pack.cLzhBQ/_new 2021-12-16 21:21:02.242560625 +0100 @@ -2,8 +2,8 @@ <service name="tar_scm" mode="disabled"> <param name="scm">git</param> <param name="url">https://github.com/qos-ch/logback.git</param> - <param name="revision">v_1.2.3</param> - <param name="versionformat">1.2.3</param> + <param name="revision">v_1.2.8</param> + <param name="versionformat">1.2.8</param> <param name="filename">logback</param> <param name="exclude">logback-access/lib</param> </service> ++++++ logback-1.1.11-jetty.patch -> logback-1.2.8-jetty.patch ++++++ --- /work/SRC/openSUSE:Factory/logback/logback-1.1.11-jetty.patch 2019-11-19 13:45:04.820393531 +0100 +++ /work/SRC/openSUSE:Factory/.logback.new.2520/logback-1.2.8-jetty.patch 2021-12-16 21:21:01.462560327 +0100 @@ -1,32 +1,21 @@ -diff --git a/logback-access/pom.xml b/logback-access/pom.xml -index ab1319b00..f16d17814 100755 ---- a/logback-access/pom.xml -+++ b/logback-access/pom.xml -@@ -45,6 +45,12 @@ - <scope>compile</scope> +--- logback-1.2.8/logback-access/pom.xml 2021-12-14 12:55:51.000000000 +0100 ++++ logback-1.2.8/logback-access/pom.xml 2021-12-16 15:35:11.255651389 +0100 +@@ -47,6 +47,12 @@ <optional>true</optional> </dependency> -+ <dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-util</artifactId> + <scope>compile</scope> + <optional>true</optional> + </dependency> - <dependency> ++ <dependency> <groupId>org.codehaus.janino</groupId> <artifactId>janino</artifactId> -@@ -173,4 +179,4 @@ - </profile> - </profiles> - --</project> -\ No newline at end of file -+</project> -diff --git a/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java b/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java -index bb11766d9..77ca796bb 100644 ---- a/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java -+++ b/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java -@@ -209,11 +209,6 @@ public class RequestLogImpl extends ContextBase implements RequestLog, AppenderA + <scope>compile</scope> +--- logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-14 12:55:51.000000000 +0100 ++++ logback-1.2.8/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2021-12-16 15:35:11.255651389 +0100 +@@ -209,11 +209,6 @@ started = false; } @@ -38,7 +27,7 @@ public void setFileName(String fileName) { this.fileName = fileName; } -@@ -227,26 +222,6 @@ public class RequestLogImpl extends ContextBase implements RequestLog, AppenderA +@@ -227,26 +222,6 @@ return started; } @@ -65,7 +54,7 @@ public boolean isQuiet() { return quiet; } -@@ -310,13 +285,7 @@ public class RequestLogImpl extends ContextBase implements RequestLog, AppenderA +@@ -310,13 +285,7 @@ return fai.getFilterChainDecision(event); } ++++++ logback-1.2.3.tar.xz -> logback-1.2.8.tar.xz ++++++ ++++ 5145 lines of diff (skipped)
