[ARROW-1240] security: upgrade logback to address CVE-2017-5929 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.4.1
Fix Version/s: 0.6.0
Component/s: Java
Labels:
None

Flags:

Important
External issue URL:
https://github.com/apache/arrow/issues/17098

Description

logback versions before 1.2.0 are affected by "a rather severe serialization vulnerability in SocketServer and ServerSocketReceiver".

We should upgrade logback from 1.0.13 to the latest version (currently 1.2.3) in order to address this.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
and
https://logback.qos.ch/news.html

Attachments

Activity

People

Assignee:: Matt Darwin

Reporter:: Matt Darwin

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Jul/17 08:39

Updated:: 11/Jan/23 07:13

Resolved:: 11/Aug/17 21:13