[ 
https://issues.apache.org/jira/browse/MNG-7441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519623#comment-17519623
 ] 

Hudson commented on MNG-7441:
-----------------------------

Build succeeded in Jenkins: Maven » Maven TLP » maven » PR-565 #12

See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/PR-565/12/

> Update Version of Logback to Address CVE-2021-42550
> ---------------------------------------------------
>
>                 Key: MNG-7441
>                 URL: https://issues.apache.org/jira/browse/MNG-7441
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.8.5
>            Reporter: Mac Hale
>            Assignee: Tamás Cservenák
>            Priority: Major
>             Fix For: 3.8.6, 3.9.0, 4.0.0-alpha-1, 4.0.0
>
>
> [CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present 
> in Logback versions 1.2.7 and earlier. Maven uses v 1.2.1. Please update to 
> Logback 1.2.9, which includes a fix as per 
> [https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].]
> I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a 
> version specified in {{./maven-embedder/pom.xml}}
> But I'm no expert on this code base so it's possible there are other 
> versioned references.
> Edit: One could argue, as the Logback team has done, that the CVE is 
> unimportant since in order to exploit it one must already have compromised 
> the system. However, security scanners pick this up as an issue, causing 
> unnecessary work and justifications.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to