[prev in list] [next in list] [prev in thread] [next in thread]
List: slf4j-announce
Subject: [qos.ch-announce] Release of logback versions 1.3.14 and 1.4.14
From: "QOS.ch annoucements via announce" <announce () qos ! ch>
Date: 2023-12-01 15:45:59
Message-ID: mailman.1121.1701445583.100735.announce () qos ! ch
[Download RAW message or body]
Hello all,
I am happy to announce the simultaneous release of logback
versions 1.3.14 and 1.4.14. Both versions require slf4j-api version
2.0.x or later.
This version fixes potential vulnerability consisting of denial of
service attack on a logback receiver by sending it poisoned data. This
problem was reported by Yakov Shafranovich, Amazon Web Services. It has
been reported under the reference CVE-2023-6378.
For more details, please refer to the the
news page:
http://logback.qos.ch/news.html
Why two simultaneous releases?
Given that downstream users are likely to depend on either Java EE (in
the javax namespace) or on Jakarta EE (in the jakarta namespace) in
their projects, it was deemed important for logback to support both EE
alternatives.
As such, logback 1.3.x supports Java EE whereas logback 1.4.x supports
Jakarta EE, otherwise the two versions are feature identical.
Both 1.3.x and 1.4.x series require the fluent-API introduced in SLF4J
2.0.x.
The 1.3.x series requires Java 8 at runtime. If you wish to build
logback from source, you will need Java 9.
The 1.4.x series requires Java 11 at build time and at runtime.
Groovy configuration:
Support for Groovy configuration was dropped for security reasons but
was recovered by Tucker Pelletier (virtualdogbert). See:
https://github.com/virtualdogbert/logback-groovy-config
Benchmarks:
For benchmarking figures please see:
http://logback.qos.ch/performance.html
Reproducible builds:
Recent logback releases are reproducible. This means that anyone
checking out the code corresponding to the release version from github
and building that local copy, will get obtain an identical binary to
the binary found on Maven central. Note that due to issue MJAR-275
with the module-info.java produced in earlier java versions,
reproducible builds require Java 19.
Donations and sponsorship
You can also support SLF4J/logback/reload4j projects via
donations and sponsorship. We thank our current supporters and
sponsors for their continued contributions and in particular The
Sovereign Tech Fund, Spotify R&D and Exoscale.
Sponsorship link: https://github.com/sponsors/qos-ch
Announcement mailing list:
You can receive SLF4J/logback/reload4j related announcements by
subscribing QOS.ch announce list, please visit the following URL.
http://www.qos.ch/mailman/listinfo/announce
Enjoy,
--
Ceki Gülcü
_______________________________________________
announce mailing list
announce@qos.ch
https://mailman.qos.ch/cgi-bin/mailman/listinfo/announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic