Vulnerability fixing version release plan if the 7.3 version has vulnerabilities #1025

07070529 · 2024-07-23T08:41:08Z

07070529
Jul 23, 2024

Hi,
We note that support for versions of logback prior to 1.3.0 has been removed in logstash-logback-encoder 7.4. That is, logstash-logback-encoder 7.3 is incompatible with logstash-logback-encoder 7.4.
We would like to know, if there is a vulnerability in 7.3, is it planned to be fixed in 7.3.X, or will it be fixed in the latest version (e.g. after 7.4 )?
That is, will the fixes version for the vulnerabilities on 7.3 or earlier versions support logback 1.2.X?

Thanks.

Answered by philsttr

Jul 23, 2024

If the vulnerability is in a dependency, such as jackson or logback, then no, since applications can upgrade those dependencies independently from logstash-logback-encoder.

If the vulnerability is reported directly against logstash-logback-encoder and can't be solved by upgrading a dependency, then I'll consider releasing a new version of 7.3 still supporting logback 1.2, but I make no promises.

View full answer

philsttr · 2024-07-23T15:18:14Z

philsttr
Jul 23, 2024
Maintainer

If the vulnerability is in a dependency, such as jackson or logback, then no, since applications can upgrade those dependencies independently from logstash-logback-encoder.

If the vulnerability is reported directly against logstash-logback-encoder and can't be solved by upgrading a dependency, then I'll consider releasing a new version of 7.3 still supporting logback 1.2, but I make no promises.

0 replies

07070529 · 2024-07-24T02:00:11Z

07070529
Jul 24, 2024
Author

Thanks for your reply, we understand.
And can I ask, if you plan to release a new version to fix the vulnerability on 7.3 or earlier versions which support logback 1.2.X, will the new release version still support logback 1.2.X?
For example, if there is a vulnerability in 7.3, and when you plan to release a new version to fix it, will it be fixed in 7.3.X, and will 7.3.X still support logback 1.2.X?

2 replies

reneleonhardt Jul 27, 2024

Did you try to override the affected library?
There are 3 newer patch versions available for your own dependency management if a project like this one doesn't provide updates with security fixes: https://mvnrepository.com/artifact/ch.qos.logback/logback-classic
Please note that corresponding Dependabot PRs have not been (auto-) merged since one year, and security scanning (with trivy for example) has not been established yet.

07070529 Jul 29, 2024
Author

Oh, thanks. I understand.
My main concern is whether the new patch version will still support logback 1.2 when the original version that supports logback 1.2 has a vulnerability. philsttr has answered my question in his recent answer, which I may not have seen in time, sorry.

And thanks for bringing Dependabot PRs to my attention.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability fixing version release plan if the 7.3 version has vulnerabilities #1025

{{title}}

Replies: 2 comments 2 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Vulnerability fixing version release plan if the 7.3 version has vulnerabilities #1025

07070529 Jul 23, 2024

Replies: 2 comments · 2 replies

philsttr Jul 23, 2024 Maintainer

07070529 Jul 24, 2024 Author

reneleonhardt Jul 27, 2024

07070529 Jul 29, 2024 Author

07070529
Jul 23, 2024

Replies: 2 comments 2 replies

philsttr
Jul 23, 2024
Maintainer

07070529
Jul 24, 2024
Author

07070529 Jul 29, 2024
Author