Overview

File _patchinfo of Package patchinfo.22234

<patchinfo incident="22234">
  <issue tracker="bnc" id="1193795">VUL-0: CVE-2021-42550: logback: remote code execution through JNDI call from within its configuration file</issue>
  <issue tracker="cve" id="2021-44228"/>
  <packager>fstrba</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for logback</summary>
  <description>This update for logback fixes the following issues:

Upgrade to version 1.2.8

+ In response to log4Shell/CVE-2021-44228, all JNDI lookup code in logback
  has been disabled until further notice. This impacts
  ContextJNDISelector and insertFromJNDI element in
  configuration files.
+ Also in response to log4Shell/CVE-2021-44228, all database (JDBC) related
  code in the project has been removed with no replacement.
+ Note that the vulnerability mentioned in LOGBACK-1591 requires
  write access to logback's configuration file as a
  prerequisite. The log4Shell/CVE-2021-44228 and LOGBACK-1591
  are of different severity levels. A successful RCE requires
  all of the following conditions to be met:
  - write access to logback.xml
  - use of versions lower then 1.2.8
  - reloading of poisoned configuration data, which implies
    application restart or scan="true" set prior to attack
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places