Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BE: upgrade logback to 1.5.16 #773

Closed
wants to merge 1 commit into from
Closed

BE: upgrade logback to 1.5.16 #773

wants to merge 1 commit into from

Conversation

yeikel
Copy link
Collaborator

@yeikel yeikel commented Jan 14, 2025
edited
Loading

What changes did you make? (Give an overview)

Fixes CVE-2024-12798 and CVE-2024-12801 while we wait for the next Spring Boot Release

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • Covered by existing automation
  • Manual tests

Cherry-picked 150b7af to test with changes in #745

Without this PR : https://github.com/kafbat/kafka-ui/actions/runs/12760141709/job/35565086663?pr=745

image

With this PR: https://github.com/kafbat/kafka-ui/actions/runs/12760148833/job/35565105573?pr=773

image

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas

A picture of a cute animal (not mandatory but encouraged)

baby-pangolin-on-mother

@kapybro kapybro bot added status/triage Issues pending maintainers triage status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Jan 14, 2025
@yeikel yeikel force-pushed the overwrite-logback branch 4 times, most recently from cd5ffcd to 588862c Compare January 14, 2025 02:57
@yeikel yeikel marked this pull request as ready for review January 14, 2025 02:57
@yeikel yeikel requested review from a team as code owners January 14, 2025 02:57
Haarolean
Haarolean previously approved these changes Jan 14, 2025
View reviewed changes
@Haarolean Haarolean added scope/backend Related to backend changes type/security Pull requests that address a security vulnerability type/dependencies A pull request/issue dedicated to updating the dependency(-ies) and removed status/triage/manual Manual triage in progress labels Jan 14, 2025
@Haarolean Haarolean added this to the 1.2 milestone Jan 14, 2025
@Haarolean
Copy link
Member

@yeikel do you mind if we hold this for a few days? We currently have #109 in progress so this will impose merge conflicts, I believe it'd be easier to do this the other way -- to upgrade logback once we migrate to gradle.

@yeikel
Copy link
Collaborator Author

yeikel commented Jan 14, 2025

@yeikel do you mind if we hold this for a few days? We currently have #109 in progress so this will impose merge conflicts, I believe it'd be easier to do this the other way -- to upgrade logback once we migrate to gradle.

I am okay to wait

@yeikel yeikel marked this pull request as draft January 14, 2025 14:51
@yeikel
Copy link
Collaborator Author

yeikel commented Jan 14, 2025

The only challenge is that the project will remain vulnerable to these CVEs until this upgrade can happen so hopefully we can complete the Gradle migration soon

@Haarolean
Copy link
Member

The only challenge is that the project will remain vulnerable to these CVEs until this upgrade can happen so hopefully we can complete the Gradle migration soon

I've been told a few days

@yeikel yeikel force-pushed the overwrite-logback branch from 588862c to f5d801a Compare February 5, 2025 20:38
@yeikel yeikel mentioned this pull request Feb 5, 2025
Merged
12 tasks
@sixdouglas
Copy link
Contributor

Hi @yeikel
Logback has been upgraded to the 1.5.16 version in spring-boot 3.4.2 ( the release note is here )
Maybe bumping Spring Boot would be better than fixing this manually, don't you think?

@yeikel
Copy link
Collaborator Author

yeikel commented Feb 6, 2025

Hi @yeikel
Logback has been upgraded to the 1.5.16 version in spring-boot 3.4.2 ( the release note is here )
Maybe bumping Spring Boot would be better than fixing this manually, don't you think?

Yes, much better, actually. At the time, I raised this PR that was still pending

@Haarolean
Copy link
Member

@yeikel let's bump spring boot instead?

@yeikel
Copy link
Collaborator Author

yeikel commented Feb 6, 2025

@yeikel let's bump spring boot instead?

That works for me.

@yeikel yeikel closed this Feb 6, 2025
@yeikel yeikel deleted the overwrite-logback branch February 6, 2025 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Haarolean Haarolean Haarolean left review comments

Assignees
No one assigned
Labels
scope/backend Related to backend changes status/triage/completed Automatic triage completed type/dependencies A pull request/issue dedicated to updating the dependency(-ies) type/security Pull requests that address a security vulnerability
Projects
Release 1.2
Status: Done
Milestone
1.2
Development

Successfully merging this pull request may close these issues.
3 participants
@yeikel @Haarolean @sixdouglas