[
https://issues.apache.org/jira/browse/MNG-7441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519623#comment-17519623
]
Hudson commented on MNG-7441:
-----------------------------
Build succeeded in Jenkins: Maven » Maven TLP » maven » PR-565 #12
See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/PR-565/12/
> Update Version of Logback to Address CVE-2021-42550
> ---------------------------------------------------
>
> Key: MNG-7441
> URL: https://issues.apache.org/jira/browse/MNG-7441
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.8.5
> Reporter: Mac Hale
> Assignee: Tamás Cservenák
> Priority: Major
> Fix For: 3.8.6, 3.9.0, 4.0.0-alpha-1, 4.0.0
>
>
> [CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present
> in Logback versions 1.2.7 and earlier. Maven uses v 1.2.1. Please update to
> Logback 1.2.9, which includes a fix as per
> [https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].]
> I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a
> version specified in {{./maven-embedder/pom.xml}}
> But I'm no expert on this code base so it's possible there are other
> versioned references.
> Edit: One could argue, as the Logback team has done, that the CVE is
> unimportant since in order to exploit it one must already have compromised
> the system. However, security scanners pick this up as an issue, causing
> unnecessary work and justifications.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
