[ann] maintenance release 1.3
9 views
Skip to first unread message
Andrus Adamchik
Dec 23, 2021, 9:16:54 AM12/23/21
to Bootique User Group
Hi,
A new maintenance release of Bootique 1.x was published yesterday - 1.3.
Many of your have heard about a string of Log4J remote exploits that recently affected a bunch of software around the world. As we mentioned before on Twitter, Bootique standard modules are not using Log4J. All of them are based on SLF4J API, with "bootique-logback" being our implementation of the actual logger. So unless you've written your own Log4J logger module, there should be no immediate concern.
At the same time with all the extra scrutiny Java logging APIs is getting these days, Logback devs still identified a couple of security holes that are exploitable if an attacker has write access to the server filesystem [1]. So they posted two security releases - 1.2.8 and 1.2.9 to address that.
Bootique release 1.3 include Logback 1.2.9. As I said, there may be no urgency to upgrade, but we still recommend that you do at your convenience.
Release 2.0.RC1 should follow shortly with that same fix for Bootique 2.x. Stay tuned.
Andrus
[1] https://logback.qos.ch/news.html
A new maintenance release of Bootique 1.x was published yesterday - 1.3.
Many of your have heard about a string of Log4J remote exploits that recently affected a bunch of software around the world. As we mentioned before on Twitter, Bootique standard modules are not using Log4J. All of them are based on SLF4J API, with "bootique-logback" being our implementation of the actual logger. So unless you've written your own Log4J logger module, there should be no immediate concern.
At the same time with all the extra scrutiny Java logging APIs is getting these days, Logback devs still identified a couple of security holes that are exploitable if an attacker has write access to the server filesystem [1]. So they posted two security releases - 1.2.8 and 1.2.9 to address that.
Bootique release 1.3 include Logback 1.2.9. As I said, there may be no urgency to upgrade, but we still recommend that you do at your convenience.
Release 2.0.RC1 should follow shortly with that same fix for Bootique 2.x. Stay tuned.
Andrus
[1] https://logback.qos.ch/news.html
Reply all
Reply to author
Forward
0 new messages