Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

logback-access-1.2.13-1.1 RPM for noarch

From OpenSuSE Ports Tumbleweed for noarch

Name: logback-access Distribution: openSUSE Tumbleweed
Version: 1.2.13 Vendor: openSUSE
Release: 1.1 Build date: Fri Oct 3 08:52:14 2025
Group: Unspecified Build host: reproducible
Size: 112454 Source RPM: logback-1.2.13-1.1.src.rpm
Packager: http://bugs.opensuse.org
Url: https://logback.qos.ch/
Summary: Logback-access module for Servlet integration
 
The logback-access module integrates with Servlet containers, such as Tomcat
and Jetty, to provide HTTP-access log functionality. Note that you could
easily build your own module on top of logback-core.

Provides

Requires

License

EPL-1.0 OR LGPL-2.1-or-later

Changelog

* Fri Oct 03 2025 Fridrich Strba <fstrba@suse.com>
  - Upgrade to upstream version 1.2.13
    * Fixed NPE in ThrowableProxy if extractSupressedThrowables method
      returns null. This fixes LOGBACK-1623
    * Fixed incorrect use of HttpServletResponse.getStatus in
      logback-access as reported in LOGBACK-1580
    * Fixed incorrect use of HttpServletRequest.getParameterNames()
      logback-access as reported in LOGBACK-1581
    * Fixed incorrect SCP URL in Maven pom.xml. This issue was
      reported in LOGBACK-1633
    * Fixes for CVE-2023-6481 as well CVE-2023-6378 were back-ported
      into the 1.2.x branch. Fixes will be effective only when run
      under Java 9 and later.
      Note that a successful exploitation of
      CVE-2023-6378/CVE-2023-6381 requires that logback-receiver
      component is enabled and also reachable by the attacker.
  - Removed patch:
    * logback-1.2.8-jetty.patch
      + not needed with this version
  - Added patch:
    * logback-CVE-2025-11226.patch
      + backport of upstream fix for bsc#1250715, CVE-2025-11226: ACE
      vulnerability in conditional configuration file processing
* Fri Mar 28 2025 Fridrich Strba <fstrba@suse.com>
  - Added patch:
    * filtering.patch
      + Newer maven-filtering versions will throw error when trying
      to filter binary files and failing to do so. This avoids
      filtering on *.jks (Java Key Store) files.
* Wed Jan 08 2025 Gus Kenion <gus.kenion@suse.com>
  - CVE-2024-12798 (bsc#1234742) Arbitrary code execution via
    JaninoEventEvaluator
    * Resolution: remove JaninoEventEvaluator
  - CVE-2024-12801 (bsc#1234743) Server-Side Request Forgery (SSRF)
    in SaxEventRecorder
    * Resolution: prevent Server-Side Request Forgery (SSRF) attacks
      by ignoring external DTD files in DOCTYPE
    * Remove SaxEventRecorder
  - Add logback-CVE-2024-12801-CVE-2024-12798.patch
* Wed Feb 21 2024 Gus Kenion <gus.kenion@suse.com>
  - Use %patch -P N instead of deprecated %patchN.
* Sat Sep 09 2023 Fridrich Strba <fstrba@suse.com>
  - Reproducible builds: use SOURCE_DATE_EPOCH for timestamp
* Thu Apr 28 2022 Fridrich Strba <fstrba@suse.com>
  - Upgrade to upstream version 1.2.11
    * Backported fix for LOGBACK-1027.
    * Fixed incorrect String cast in JNDIUtil. This corrects
      LOGBACK-1604.
    * In SMTPAppenderBase empty username parameter is now treated the
      same way as  null. This fixes LOGBACK-1594.
    * ContextInitializer no longer complains about missing
      logback.groovy configuration file. This fixes LOGBACK-1601.
    * In response to CVE-2021-42550 (aka LOGBACK-1591) the following
      steps were made:
      1) Hardened logback's JNDI lookup mechanism to only honor
      requests in the java: namespace. All other types of requests
      are ignored.
      2) SMTPAppender was hardened.
      3) Temporarily removed DB support for security reasons.
      4) Removed Groovy configuration support. As logging is so
      pervasive and configuration with Groovy is probably too
      powerful, this feature is unlikely to be reinstated for
      security reasons.
      The aforementioned vulnerability requires write access to
      logback's configuration file as a prerequisite. A successul
      RCE attack with CVE-2021-42550 requires all of the following
      conditions to be met:
      + write access to logback.xml
      + use of versions < 1.2.9
      + reloading of poisoned configuration data, which implies
      application restart or scan="true" set prior to attack
  - Set project.build.sourceEncoding property to ISO-8859-1 to
    avoid the new maven-resources-plugin chocking on trying to filter
    in UTF-8 encoding JKS (binary) resources
* Tue Feb 22 2022 Fridrich Strba <fstrba@suse.com>
  - Do not build against the log4j12 packages
* Fri Dec 17 2021 Fridrich Strba <fstrba@suse.com>
  - Do not execute goals generateTestStubs and compileTests of
    gmavenplus-plugin, since we are not compiling or runnig tests
    during the rpm build. This also allows us to use a wider range
    of gmavenplus-plugin versions, since those executions changed
    names in 1.6.
* Thu Dec 16 2021 Fridrich Strba <fstrba@suse.com>
  - Upgrade to version 1.2.8 (bsc#1193795)
    * Changes of version 1.2.8
      + In response to LOGBACK-1591, all JNDI lookup code in logback
      has been disabled until further notice. This impacts
      ContextJNDISelector and <insertFromJNDI> element in
      configuration files.
      + Also in response to LOGBACK-1591, all database (JDBC) related
      code in the project has been removed with no replacement.
      + Note that the vulnerability mentioned in LOGBACK-1591 requires
      write access to logback's configuration file as a
      prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591
      are of different severity levels. A successful RCE requires
      all of the following conditions to be met:
    - write access to logback.xml
    - use of versions < 1.2.8
    - reloading of poisoned configuration data, which implies
      application restart or scan="true" set prior to attack
      + As an additional extra precaution, in addition to upgrading to
      logback version 1.2.8, the users are advised to set their
      logback configuration files as read-only.
    * Changes of version 1.2.7
      + Added hostnameVerification to property SSLSocketAppender.
      This fixes LOGBACK-1574.
    * Changes of version 1.2.6
      + To prevent XML eXternal Entity injection (XXE) attacks, Joran
      no longer reads external entities passed in XML files. This
      fixes LOGBACK-1465.
    * Changes of version 1.2.5
      + Instead of an Appender, the LayoutWrappingEncoder now accepts
      a variable of type ContextAware as a parent. This fixes
      LOGBACK-1326.
    * Changes of version 1.2.4
      + Added support for minimum length in %i filename pattern. This
      fixes LOGBACK-1248.
      + For size bound log file archiving, allow
      TimeBasedArchiveRemove to remove files with indexes containing
      upto 5 digits. This fixes LOGBACK-1175.
      + Added %prefix composite converter which automatically prefixes
      child converter output with the name of the converter. This
      feature is quite handy in environments where log files need to
      be parsed and monitored.
  - Changed patch:
    * logback-1.1.11-jetty.patch -> logback-1.2.8-jetty.patch
      + Rediff to changed context
* Fri Nov 29 2019 Fridrich Strba <fstrba@suse.com>
  - Do not force building with java < 9
  - Specify maven.compiler.release=8 to access the
    java.util.function.Supplier API, introduced in java 8
  - Added patch:
    * logback-1.2.3-getCallerClass.patch
      + Access the sun.reflect.Reflection.getCallerClass by
      reflection, in order to be able to build with jdk >= 9

Files

/usr/share/java/logback
/usr/share/java/logback/logback-access.jar
/usr/share/licenses/logback-access
/usr/share/licenses/logback-access/LICENSE.txt
/usr/share/maven-metadata/logback-access.xml
/usr/share/maven-poms/logback
/usr/share/maven-poms/logback/logback-access.pom

Generated by rpm2html 1.8.1

Fabrice Bellet, Thu Oct 23 22:37:43 2025