Commit 04471f4
authored
MINOR: Bump logback.version from 1.5.32 to 1.5.34 (#1171)
Bumps `logback.version` from 1.5.32 to 1.5.34.
Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/qos-ch/logback/releases">ch.qos.logback:logback-classic's
releases</a>.</em></p>
<blockquote>
<h2>Logback 1.5.34</h2>
<p><strong>2026-06-01 Release of logback version 1.5.34</strong></p>
<p>• In case certain StackTraceElement values returned by the
Throwable.getStackTrace method are null, StackTraceElementProxy
substitutes a dummy instance instead of throwing an
IllegalArgumentException. This resolves [issues <a
href="https://redirect.github.com/qos-ch/logback/issues/1040">#1040</a>](<a
href="https://redirect.github.com/qos-ch/logback/issues/1040">qos-ch/logback#1040</a>),
reported by Naotsugu Kobayashi.</p>
<p>• HardenedObjectInputStream will now throw an InvalidClassException
during deserialization attempts of Proxy classes. This change addresses
potential deserialization whitelist bypass vulnerability reported by <a
href="https://github.com/york-shen">York Shen</a> and registered as <a
href="https://www.cve.org/cverecord?id=CVE-2026-10532">CVE-2026-10532</a>.</p>
<p>• A bitwise identical binary of this version can be reproduced by
building from source code at commit
e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag
v_1.5.34. This release was built using Java "21" 2023-10-17
LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.</p>
<h2>Logback 1.5.33</h2>
<p><strong>2026-05-27 Release of logback version 1.5.33</strong></p>
<p>• <code>PropertiesConfiguratorModelHandler</code> now registers
properties file URLs to the <code>ConfigurationWatchList</code> when
scan is enabled (via local scan="true" attribute or top-level
configuration scan), ensuring changes are detected and reconfiguration
occurs. This problem was reported in <a
href="https://redirect.github.com/qos-ch/logback/issues/1034">issues/1034</a>.</p>
<p>• When processing <code><conversionRule></code> elements and
both <code>class</code> and <code>converterClass</code> attributes are
specified, silently use the class attribute without issuing a warning.
However, if the attribute values differ, a warning will be issued. This
change was requested in <a
href="https://redirect.github.com/qos-ch/logback/issues/1031">issues/1031</a>.</p>
<p>• <code>HardenedModelInputStream</code> will no longer accept to
deserialize all classes located under the "java.lang" and
"java.util" packages but a limited number of explicitly
authorized classes in those packages. This potential deserialization
whitelist bypass vulnerability was reported by <a
href="https://github.com/york-shen">York Shen</a> and registered as <a
href="https://www.cve.org/cverecord?id=CVE-2026-9828">CVE-2026-9828</a>.</p>
<p>• SSL parameters for <code>SSLSocketAppender</code> now enable
hostname verification by default. Moreover, the default protocol is now
"TLSv1.2". This potential vulnerability was reported by York
Shen.</p>
<p>• When printing the status message field,
<code>ViewStatusMessagesServletBase</code> now escapes special
characters such as "&" as character entities. This
potential vulnerability was reported by York Shen.</p>
<p>• A bit-wise identical binary of this version can be reproduced by
building from source code at commit
124e8b49b55ac34d08743a0646bd463410192647 associated with the tag
v_1.5.33. Release built using Java "21" 2023-10-17 LTS build
21.0.1.+12-LTS-29 under Linux Debian 11.6.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/qos-ch/logback/commit/e62272ac152469aec1ede056c3c7d0d7314e7bfe"><code>e62272a</code></a>
prepare release 1.5.34</li>
<li><a
href="https://github.com/qos-ch/logback/commit/1e9e926db1529b729a0e2d29fdee151c2aea0341"><code>1e9e926</code></a>
add resolveProxyClassRejectsDynamicProxies unit test</li>
<li><a
href="https://github.com/qos-ch/logback/commit/2de5cbe90b74fa284685304bc91321313b0d8e2f"><code>2de5cbe</code></a>
added StackTraceElementProxyTest, minor edits to AGENTS.md</li>
<li><a
href="https://github.com/qos-ch/logback/commit/0e9b9278b5d3f0b573762cd7b5482ed65244418e"><code>0e9b927</code></a>
in case StackTraceElement is null use a substitute, fixing
issues/1040</li>
<li><a
href="https://github.com/qos-ch/logback/commit/f7a0654c2b7e8e1c461e3d9e483e82ef969b5818"><code>f7a0654</code></a>
prevent resolveProxyClass bypass</li>
<li><a
href="https://github.com/qos-ch/logback/commit/249b81f3754f1fb58f8507f244a36c7a940854c0"><code>249b81f</code></a>
docs are no longer distributed</li>
<li><a
href="https://github.com/qos-ch/logback/commit/1c3b26a839f05b6bc1769e5a028ef326c711cec8"><code>1c3b26a</code></a>
start work on 1.5.34-SNAPSHOT</li>
<li><a
href="https://github.com/qos-ch/logback/commit/124e8b49b55ac34d08743a0646bd463410192647"><code>124e8b4</code></a>
prepare release 1.5.33</li>
<li><a
href="https://github.com/qos-ch/logback/commit/d8fd6f25c7f12282871164911fe423c86e2ef8f3"><code>d8fd6f2</code></a>
escapeTags in message field when printing status messages</li>
<li><a
href="https://github.com/qos-ch/logback/commit/95edbeb8dbf53494f36324aeb7bef1825aff6cc4"><code>95edbeb</code></a>
hostnameVerification default to true in SSLParametersConfiguration,
SSL.DEFAU...</li>
<li>Additional commits viewable in <a
href="https://github.com/qos-ch/logback/compare/v_1.5.32...v_1.5.34">compare
view</a></li>
</ul>
</details>
<br />
Updates `ch.qos.logback:logback-core` from 1.5.32 to 1.5.34
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/qos-ch/logback/releases">ch.qos.logback:logback-core's
releases</a>.</em></p>
<blockquote>
<h2>Logback 1.5.34</h2>
<p><strong>2026-06-01 Release of logback version 1.5.34</strong></p>
<p>• In case certain StackTraceElement values returned by the
Throwable.getStackTrace method are null, StackTraceElementProxy
substitutes a dummy instance instead of throwing an
IllegalArgumentException. This resolves [issues <a
href="https://redirect.github.com/qos-ch/logback/issues/1040">#1040</a>](<a
href="https://redirect.github.com/qos-ch/logback/issues/1040">qos-ch/logback#1040</a>),
reported by Naotsugu Kobayashi.</p>
<p>• HardenedObjectInputStream will now throw an InvalidClassException
during deserialization attempts of Proxy classes. This change addresses
potential deserialization whitelist bypass vulnerability reported by <a
href="https://github.com/york-shen">York Shen</a> and registered as <a
href="https://www.cve.org/cverecord?id=CVE-2026-10532">CVE-2026-10532</a>.</p>
<p>• A bitwise identical binary of this version can be reproduced by
building from source code at commit
e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag
v_1.5.34. This release was built using Java "21" 2023-10-17
LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.</p>
<h2>Logback 1.5.33</h2>
<p><strong>2026-05-27 Release of logback version 1.5.33</strong></p>
<p>• <code>PropertiesConfiguratorModelHandler</code> now registers
properties file URLs to the <code>ConfigurationWatchList</code> when
scan is enabled (via local scan="true" attribute or top-level
configuration scan), ensuring changes are detected and reconfiguration
occurs. This problem was reported in <a
href="https://redirect.github.com/qos-ch/logback/issues/1034">issues/1034</a>.</p>
<p>• When processing <code><conversionRule></code> elements and
both <code>class</code> and <code>converterClass</code> attributes are
specified, silently use the class attribute without issuing a warning.
However, if the attribute values differ, a warning will be issued. This
change was requested in <a
href="https://redirect.github.com/qos-ch/logback/issues/1031">issues/1031</a>.</p>
<p>• <code>HardenedModelInputStream</code> will no longer accept to
deserialize all classes located under the "java.lang" and
"java.util" packages but a limited number of explicitly
authorized classes in those packages. This potential deserialization
whitelist bypass vulnerability was reported by <a
href="https://github.com/york-shen">York Shen</a> and registered as <a
href="https://www.cve.org/cverecord?id=CVE-2026-9828">CVE-2026-9828</a>.</p>
<p>• SSL parameters for <code>SSLSocketAppender</code> now enable
hostname verification by default. Moreover, the default protocol is now
"TLSv1.2". This potential vulnerability was reported by York
Shen.</p>
<p>• When printing the status message field,
<code>ViewStatusMessagesServletBase</code> now escapes special
characters such as "&" as character entities. This
potential vulnerability was reported by York Shen.</p>
<p>• A bit-wise identical binary of this version can be reproduced by
building from source code at commit
124e8b49b55ac34d08743a0646bd463410192647 associated with the tag
v_1.5.33. Release built using Java "21" 2023-10-17 LTS build
21.0.1.+12-LTS-29 under Linux Debian 11.6.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/qos-ch/logback/commit/e62272ac152469aec1ede056c3c7d0d7314e7bfe"><code>e62272a</code></a>
prepare release 1.5.34</li>
<li><a
href="https://github.com/qos-ch/logback/commit/1e9e926db1529b729a0e2d29fdee151c2aea0341"><code>1e9e926</code></a>
add resolveProxyClassRejectsDynamicProxies unit test</li>
<li><a
href="https://github.com/qos-ch/logback/commit/2de5cbe90b74fa284685304bc91321313b0d8e2f"><code>2de5cbe</code></a>
added StackTraceElementProxyTest, minor edits to AGENTS.md</li>
<li><a
href="https://github.com/qos-ch/logback/commit/0e9b9278b5d3f0b573762cd7b5482ed65244418e"><code>0e9b927</code></a>
in case StackTraceElement is null use a substitute, fixing
issues/1040</li>
<li><a
href="https://github.com/qos-ch/logback/commit/f7a0654c2b7e8e1c461e3d9e483e82ef969b5818"><code>f7a0654</code></a>
prevent resolveProxyClass bypass</li>
<li><a
href="https://github.com/qos-ch/logback/commit/249b81f3754f1fb58f8507f244a36c7a940854c0"><code>249b81f</code></a>
docs are no longer distributed</li>
<li><a
href="https://github.com/qos-ch/logback/commit/1c3b26a839f05b6bc1769e5a028ef326c711cec8"><code>1c3b26a</code></a>
start work on 1.5.34-SNAPSHOT</li>
<li><a
href="https://github.com/qos-ch/logback/commit/124e8b49b55ac34d08743a0646bd463410192647"><code>124e8b4</code></a>
prepare release 1.5.33</li>
<li><a
href="https://github.com/qos-ch/logback/commit/d8fd6f25c7f12282871164911fe423c86e2ef8f3"><code>d8fd6f2</code></a>
escapeTags in message field when printing status messages</li>
<li><a
href="https://github.com/qos-ch/logback/commit/95edbeb8dbf53494f36324aeb7bef1825aff6cc4"><code>95edbeb</code></a>
hostnameVerification default to true in SSLParametersConfiguration,
SSL.DEFAU...</li>
<li>Additional commits viewable in <a
href="https://github.com/qos-ch/logback/compare/v_1.5.32...v_1.5.34">compare
view</a></li>
</ul>
</details>
<br />
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent bd8cd52 commit 04471f4
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
113 | 113 | | |
114 | 114 | | |
115 | 115 | | |
116 | | - | |
| 116 | + | |
117 | 117 | | |
118 | 118 | | |
119 | 119 | | |
| |||
0 commit comments