On Tue, 21 Dec 2021 at 18:48, Gary Gregory <garydgreg...@gmail.com> wrote:
> … > I wonder what logback actually means by "Temporarily removed DB support for > security reasons.", did they remove public or protected code? Well we have > enough to deal with here without worrying about that. Yeah they deleted DBAppender. Public code that you can/should reference in a config file. So source/binary/config incompatible. https://github.com/qos-ch/logback/commit/87291079a1de9369ac67e20dc70a8fdc7cc4359c So logback 1.2.8 has it, 1.2.9 doesn’t, 1.3 (JDK8+) will probably get a security hardened version, probably then backported to make a 1.2.10 for JDK7. (Of course a very different project, different vulnerability, etc, so different considerations & choices) Spring is picking it up in their release: https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot So Twitter after Christmas will start to teach us about user response :-) Cheers, Leo
