Plans to fix CVE-2023-6378 in 1.2?

[christopher-cudennec]

Hi Logback team / @ceki ! 👋

We still work with Dropwizard 2.1 which still relies on Logback 1.2. Do you have any plans to backport your fix to prevent the DOS attack that is already applied to the 1.3 and 1.4 branches? That would be greatly appreciated! 🌻

Cheers,

Christopher

[debugmaster]

Spring Boot 2.7.x is also using Logback 1.2, and they are explictly loading StaticLoggerBinder in LogbackLoggingSystem.java, so it is not possible to upgrade SLF4J to 2.x or newer Logback versions.

[pjfanning]

There are quite a few users who haven't been able to upgrade to slf4j 2.x due to their dependency libs not having been modified to support slf4j 2.x. Apache Pekko is an example. Most features work when you use slf4j 2.x but we have seen a few issues and are trying to sort them out (work still not complete).

[specio]

+1
Spring 2.7.x is actively supported and only viable option for many Spring based products running on Java <17
It'd be great to see introducing this fix to Logback 1.2.x aswell.

[cseverino789]

+1 Also putting this a reference spring-projects/spring-boot#34708 in regards to spring boot 2.7 vs 3.0 and why this will be an important issue for a lot of projects out there on 2.7

[mikebell90]

All the reasons other folks (namely spring boot) cite are affecting us too. Of course we could fork and push an internal fix, but I hate doing that when avoidable

[bvahdat]

Hi @ceki

Would you mind to review the backport of this CVE and release 1.2.13 afterwards?

[ceki]

Hi @bvahdat,

Thank you for the PR. However, the fix is being ported independently of your PR.

[bvahdat]

Hi @bvahdat,

Thank you for the PR. However, the fix is being ported independently of your PR.

Thanks @ceki for your feedback. I was not aware of this parallel effort going on as I don't see any corresponding PR for that in this repo.

Do you maybe have any estimation when 1.2.13 would be released including this fix?

[ceki]

Version 1.2.13 was released a few moments ago.