This is an automated email from the ASF dual-hosted git repository.
zhonghongsheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shardingsphere.git
The following commit(s) were added to refs/heads/master by this push:
new 60528af4727 Fix CVE-2024-12798, CVE-2024-12801, CVE-2025-11226 (#37936)
60528af4727 is described below
commit 60528af47277622f6171d0c999f9927349db0343
Author: Hongsheng Zhong <[email protected]>
AuthorDate: Mon Feb 2 18:08:22 2026 +0800
Fix CVE-2024-12798, CVE-2024-12801, CVE-2025-11226 (#37936)
* Upgrade logback version from 1.2.13 to 1.3.16
* Update RELEASE-NOTES.md
* Upgrade slf4j version from 1.7.36 to 2.0.17 : fit logback 1.3.x series
---
RELEASE-NOTES.md | 1 +
distribution/proxy/src/main/release-docs/LICENSE | 10 +++++-----
examples/pom.xml | 4 ++--
.../src/main/resources/template/pom.ftl | 4 ++--
pom.xml | 4 ++--
5 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index 567841328ed..d57920e809a 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -16,6 +16,7 @@
1. Fix CVE-2025-48924
[#36085](https://github.com/apache/shardingsphere/pull/36085)
1. Fix CVE-2024-7254
[#36153](https://github.com/apache/shardingsphere/pull/36153)
1. Fix CVE-2015-5237, CVE-2024-7254, CVE-2022-3171, CVE-2021-22569,
CVE-2021-22570 [#37888](https://github.com/apache/shardingsphere/pull/37888)
+1. Fix CVE-2024-12798, CVE-2024-12801, CVE-2025-11226
[#37936](https://github.com/apache/shardingsphere/pull/37936)
### Metadata Storage Changes
diff --git a/distribution/proxy/src/main/release-docs/LICENSE
b/distribution/proxy/src/main/release-docs/LICENSE
index a0397ef2cdf..08561b7307b 100644
--- a/distribution/proxy/src/main/release-docs/LICENSE
+++ b/distribution/proxy/src/main/release-docs/LICENSE
@@ -260,7 +260,7 @@ The text of each license is the standard Apache 2.0 license.
jackson-dataformat-yaml 2.16.1: http://github.com/FasterXML/jackson,
Apache 2.0
jackson-datatype-jdk8 2.16.1:
http://github.com/FasterXML/jackson-modules-java8, Apache 2.0
jackson-datatype-jsr310 2.16.1: http://github.com/FasterXML/jackson,
Apache 2.0
- jcl-over-slf4j 1.7.36: https://github.com/qos-ch/slf4j, Apache 2.0
+ jcl-over-slf4j 2.0.17: https://github.com/qos-ch/slf4j, Apache 2.0
jetcd-api 0.7.7: https://github.com/etcd-io/jetcd, Apache 2.0
jetcd-common 0.7.7: https://github.com/etcd-io/jetcd, Apache 2.0
jetcd-core 0.7.7: https://github.com/etcd-io/jetcd, Apache 2.0
@@ -345,8 +345,8 @@ The following components are provided under the EPL
License. See project link fo
The text of each license is also included at licenses/LICENSE-[project].txt.
jakarta.transaction-api 1.3.3: https://github.com/jakartaee/transactions,
EPL 2.0
- logback-classic 1.2.13: https://github.com/qos-ch/logback, EPL 1.0
- logback-core 1.2.13: https://github.com/qos-ch/logback, EPL 1.0
+ logback-classic 1.3.16: https://github.com/qos-ch/logback, EPL 1.0
+ logback-core 1.3.16: https://github.com/qos-ch/logback, EPL 1.0
mchange-commons-java 0.2.15:
https://github.com/swaldman/mchange-commons-java, EPL 1.0
h2 2.2.224: https://github.com/h2database/h2database, EPL 1.0
@@ -362,5 +362,5 @@ The text of each license is also included at
licenses/LICENSE-[project].txt.
bctls-jdk18on 1.79: https://www.bouncycastle.org, MIT
bcutil-jdk18on 1.79: https://www.bouncycastle.org, MIT
checker-qual 3.39.0:
https://github.com/typetools/checker-framework/blob/master/checker-qual, MIT
- jul-to-slf4j 1.7.36: https://www.slf4j.org, MIT
- slf4j-api 1.7.36: https://www.slf4j.org, MIT
+ jul-to-slf4j 2.0.17: https://www.slf4j.org, MIT
+ slf4j-api 2.0.17: https://www.slf4j.org, MIT
diff --git a/examples/pom.xml b/examples/pom.xml
index 2618937d6fa..82075a1b4ad 100644
--- a/examples/pom.xml
+++ b/examples/pom.xml
@@ -44,8 +44,8 @@
<mysql-connector-java.version>8.3.0</mysql-connector-java.version>
<postgresql.version>42.7.8</postgresql.version>
<h2.version>2.2.224</h2.version>
- <slf4j.version>1.7.7</slf4j.version>
- <logback.version>1.2.13</logback.version>
+ <slf4j.version>2.0.17</slf4j.version>
+ <logback.version>1.3.16</logback.version>
<lombok.version>1.18.38</lombok.version>
<mybatis.version>3.5.9</mybatis.version>
<mybatis-spring.version>2.0.5</mybatis-spring.version>
diff --git
a/examples/shardingsphere-jdbc-example-generator/src/main/resources/template/pom.ftl
b/examples/shardingsphere-jdbc-example-generator/src/main/resources/template/pom.ftl
index 81133521a9a..e257974dc8a 100644
---
a/examples/shardingsphere-jdbc-example-generator/src/main/resources/template/pom.ftl
+++
b/examples/shardingsphere-jdbc-example-generator/src/main/resources/template/pom.ftl
@@ -294,12 +294,12 @@
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
- <version>1.7.36</version>
+ <version>2.0.17</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
- <version>1.2.13</version>
+ <version>1.3.16</version>
</dependency>
</dependencies>
diff --git a/pom.xml b/pom.xml
index c7a98b6a607..98dcfd70483 100644
--- a/pom.xml
+++ b/pom.xml
@@ -113,8 +113,8 @@
<elasticjob.version>3.0.4</elasticjob.version>
- <slf4j.version>1.7.36</slf4j.version>
- <logback.version>1.2.13</logback.version>
+ <slf4j.version>2.0.17</slf4j.version>
+ <logback.version>1.3.16</logback.version>
<commons-logging.version>1.2</commons-logging.version>
<lombok.version>1.18.42</lombok.version>
