Upgrade logback-classic to address CVE CVE-2023-6378 #3801
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Derek Ho <[email protected]>
derek-ho
changed the title
derek-ho
requested review from
cliu123,
cwperks,
DarshitChanpura,
davidlago,
peternied,
RyanL1997,
stephen-crawford,
reta and
willyborankin
as code owners
cwperks
approved these changes
Dec 4, 2023
DarshitChanpura
approved these changes
Dec 5, 2023
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3801 +/- ##
==========================================
+ Coverage 65.26% 65.28% +0.02%
==========================================
Files 297 298 +1
Lines 21132 21159 +27
Branches 3452 3455 +3
==========================================
+ Hits 13791 13813 +22
- Misses 5644 5649 +5
Partials 1697 1697
|
reta
reviewed
Dec 5, 2023
| @@ -497,6 +497,7 @@ configurations { | |||
| force "org.apache.httpcomponents:httpcore:4.4.16" | |||
| force "com.google.errorprone:error_prone_annotations:2.23.0" | |||
| force "org.checkerframework:checker-qual:3.40.0" | |||
| force "ch.qos.logback:logback-classic:1.3.12" | |||
There was a problem hiding this comment.
@cwperks this should probably be set to 1.2.13 since Logback 1.3.x needs SLF4J 2.0 APIs (if I am not mistaken)
There was a problem hiding this comment.
Thank you reta! How can we catch issues like this as part of CI?
From logback's README:
Both 1.3.x and 1.4.x series require SLF4J 2.0.x or later.
There was a problem hiding this comment.
Is the issue preventing slf4j upgrade that OpenSearch still supports Java 8? From the slf4j README
SLF4J version 2.0.x will run under Java 8 but requires Java 9 or later to build.
There was a problem hiding this comment.
Is the issue preventing slf4j upgrade that OpenSearch still supports Java 8?
We basically could move to slf4j 2.x but I believe some deps (like Jetty 9 fe, if I am not mistaken) do still rely on slf4j 1.x
derek-ho
added a commit
to derek-ho/security
that referenced
this pull request
Dec 5, 2023
…rch-project#3801)" This reverts commit 2abd71b.
cwperks
pushed a commit
that referenced
this pull request
Dec 5, 2023
prabhask5
pushed a commit
to prabhask5/opensearch-security
that referenced
this pull request
Jan 11, 2024
…ect#3801) ### Description Force resolve logback-classic to 1.3.12 to address GHSA-vmq6-5m68-f53m ### Issues Resolved [List any issues this PR will resolve] Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Derek Ho <[email protected]> Signed-off-by: Prabhas Kurapati <[email protected]>
prabhask5
pushed a commit
to prabhask5/opensearch-security
that referenced
this pull request
Jan 11, 2024
…arch-project#3804) Reverts opensearch-project#3801 Signed-off-by: Prabhas Kurapati <[email protected]>
dlin2028
pushed a commit
to dlin2028/security
that referenced
this pull request
May 1, 2024
…ect#3801) ### Description Force resolve logback-classic to 1.3.12 to address GHSA-vmq6-5m68-f53m ### Issues Resolved [List any issues this PR will resolve] Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Derek Ho <[email protected]>
dlin2028
pushed a commit
to dlin2028/security
that referenced
this pull request
May 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Force resolve logback-classic to 1.3.12 to address GHSA-vmq6-5m68-f53m
Issues Resolved
[List any issues this PR will resolve]
Is this a backport? If so, please add backport PR # and/or commits #
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.