Hi again,
I should also say that while the threat characteristics between
log4shell and CVE-2021-42550 affecting logback are significantly
different, it is not our place to estimate each use case and deployment
configuration. As logback maintainers, we must assume the worst case.
Best regards,
--
Ceki Gülcü
Please contact suppport(at)qos.ch for donations, sponsorship or support
contracts related to SLF4J or logback projects.
On 17/12/2021 10:29, Arjohn Kampman wrote:
Hi Ceki,
I'm trying to assess if the update which has been sent to customers, and
which includes 1.2.8, is safe to use, or if they will need another
update. It's quite a bit of work to do this, so I would appreciate it a
lot if you could give some more insight. Which risks remain if the
customer stick to logback 1.28?
On 17/12/2021 10:08, Ceki Gülcü wrote:
Hi Arjohn,
I would consider logback version 1.2.9 a security fix.
_______________________________________________
logback-user mailing list
[email protected]
http://mailman.qos.ch/mailman/listinfo/logback-user
