Skip to content

Commit 04471f4

Browse files
MINOR: Bump logback.version from 1.5.32 to 1.5.34 (#1171)
Bumps `logback.version` from 1.5.32 to 1.5.34. Updates `ch.qos.logback:logback-classic` from 1.5.32 to 1.5.34 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/qos-ch/logback/releases">ch.qos.logback:logback-classic's releases</a>.</em></p> <blockquote> <h2>Logback 1.5.34</h2> <p><strong>2026-06-01 Release of logback version 1.5.34</strong></p> <p>• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues <a href="https://redirect.github.com/qos-ch/logback/issues/1040">#1040</a>](<a href="https://redirect.github.com/qos-ch/logback/issues/1040">qos-ch/logback#1040</a>), reported by Naotsugu Kobayashi.</p> <p>• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by <a href="https://github.com/york-shen">York Shen</a> and registered as <a href="https://www.cve.org/cverecord?id=CVE-2026-10532">CVE-2026-10532</a>.</p> <p>• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java &quot;21&quot; 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.</p> <h2>Logback 1.5.33</h2> <p><strong>2026-05-27 Release of logback version 1.5.33</strong></p> <p>• <code>PropertiesConfiguratorModelHandler</code> now registers properties file URLs to the <code>ConfigurationWatchList</code> when scan is enabled (via local scan=&quot;true&quot; attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in <a href="https://redirect.github.com/qos-ch/logback/issues/1034">issues/1034</a>.</p> <p>• When processing <code>&lt;conversionRule&gt;</code> elements and both <code>class</code> and <code>converterClass</code> attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in <a href="https://redirect.github.com/qos-ch/logback/issues/1031">issues/1031</a>.</p> <p>• <code>HardenedModelInputStream</code> will no longer accept to deserialize all classes located under the &quot;java.lang&quot; and &quot;java.util&quot; packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by <a href="https://github.com/york-shen">York Shen</a> and registered as <a href="https://www.cve.org/cverecord?id=CVE-2026-9828">CVE-2026-9828</a>.</p> <p>• SSL parameters for <code>SSLSocketAppender</code> now enable hostname verification by default. Moreover, the default protocol is now &quot;TLSv1.2&quot;. This potential vulnerability was reported by York Shen.</p> <p>• When printing the status message field, <code>ViewStatusMessagesServletBase</code> now escapes special characters such as &quot;&amp;&quot; as character entities. This potential vulnerability was reported by York Shen.</p> <p>• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java &quot;21&quot; 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/qos-ch/logback/commit/e62272ac152469aec1ede056c3c7d0d7314e7bfe"><code>e62272a</code></a> prepare release 1.5.34</li> <li><a href="https://github.com/qos-ch/logback/commit/1e9e926db1529b729a0e2d29fdee151c2aea0341"><code>1e9e926</code></a> add resolveProxyClassRejectsDynamicProxies unit test</li> <li><a href="https://github.com/qos-ch/logback/commit/2de5cbe90b74fa284685304bc91321313b0d8e2f"><code>2de5cbe</code></a> added StackTraceElementProxyTest, minor edits to AGENTS.md</li> <li><a href="https://github.com/qos-ch/logback/commit/0e9b9278b5d3f0b573762cd7b5482ed65244418e"><code>0e9b927</code></a> in case StackTraceElement is null use a substitute, fixing issues/1040</li> <li><a href="https://github.com/qos-ch/logback/commit/f7a0654c2b7e8e1c461e3d9e483e82ef969b5818"><code>f7a0654</code></a> prevent resolveProxyClass bypass</li> <li><a href="https://github.com/qos-ch/logback/commit/249b81f3754f1fb58f8507f244a36c7a940854c0"><code>249b81f</code></a> docs are no longer distributed</li> <li><a href="https://github.com/qos-ch/logback/commit/1c3b26a839f05b6bc1769e5a028ef326c711cec8"><code>1c3b26a</code></a> start work on 1.5.34-SNAPSHOT</li> <li><a href="https://github.com/qos-ch/logback/commit/124e8b49b55ac34d08743a0646bd463410192647"><code>124e8b4</code></a> prepare release 1.5.33</li> <li><a href="https://github.com/qos-ch/logback/commit/d8fd6f25c7f12282871164911fe423c86e2ef8f3"><code>d8fd6f2</code></a> escapeTags in message field when printing status messages</li> <li><a href="https://github.com/qos-ch/logback/commit/95edbeb8dbf53494f36324aeb7bef1825aff6cc4"><code>95edbeb</code></a> hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...</li> <li>Additional commits viewable in <a href="https://github.com/qos-ch/logback/compare/v_1.5.32...v_1.5.34">compare view</a></li> </ul> </details> <br /> Updates `ch.qos.logback:logback-core` from 1.5.32 to 1.5.34 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/qos-ch/logback/releases">ch.qos.logback:logback-core's releases</a>.</em></p> <blockquote> <h2>Logback 1.5.34</h2> <p><strong>2026-06-01 Release of logback version 1.5.34</strong></p> <p>• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues <a href="https://redirect.github.com/qos-ch/logback/issues/1040">#1040</a>](<a href="https://redirect.github.com/qos-ch/logback/issues/1040">qos-ch/logback#1040</a>), reported by Naotsugu Kobayashi.</p> <p>• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by <a href="https://github.com/york-shen">York Shen</a> and registered as <a href="https://www.cve.org/cverecord?id=CVE-2026-10532">CVE-2026-10532</a>.</p> <p>• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java &quot;21&quot; 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.</p> <h2>Logback 1.5.33</h2> <p><strong>2026-05-27 Release of logback version 1.5.33</strong></p> <p>• <code>PropertiesConfiguratorModelHandler</code> now registers properties file URLs to the <code>ConfigurationWatchList</code> when scan is enabled (via local scan=&quot;true&quot; attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in <a href="https://redirect.github.com/qos-ch/logback/issues/1034">issues/1034</a>.</p> <p>• When processing <code>&lt;conversionRule&gt;</code> elements and both <code>class</code> and <code>converterClass</code> attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in <a href="https://redirect.github.com/qos-ch/logback/issues/1031">issues/1031</a>.</p> <p>• <code>HardenedModelInputStream</code> will no longer accept to deserialize all classes located under the &quot;java.lang&quot; and &quot;java.util&quot; packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by <a href="https://github.com/york-shen">York Shen</a> and registered as <a href="https://www.cve.org/cverecord?id=CVE-2026-9828">CVE-2026-9828</a>.</p> <p>• SSL parameters for <code>SSLSocketAppender</code> now enable hostname verification by default. Moreover, the default protocol is now &quot;TLSv1.2&quot;. This potential vulnerability was reported by York Shen.</p> <p>• When printing the status message field, <code>ViewStatusMessagesServletBase</code> now escapes special characters such as &quot;&amp;&quot; as character entities. This potential vulnerability was reported by York Shen.</p> <p>• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java &quot;21&quot; 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/qos-ch/logback/commit/e62272ac152469aec1ede056c3c7d0d7314e7bfe"><code>e62272a</code></a> prepare release 1.5.34</li> <li><a href="https://github.com/qos-ch/logback/commit/1e9e926db1529b729a0e2d29fdee151c2aea0341"><code>1e9e926</code></a> add resolveProxyClassRejectsDynamicProxies unit test</li> <li><a href="https://github.com/qos-ch/logback/commit/2de5cbe90b74fa284685304bc91321313b0d8e2f"><code>2de5cbe</code></a> added StackTraceElementProxyTest, minor edits to AGENTS.md</li> <li><a href="https://github.com/qos-ch/logback/commit/0e9b9278b5d3f0b573762cd7b5482ed65244418e"><code>0e9b927</code></a> in case StackTraceElement is null use a substitute, fixing issues/1040</li> <li><a href="https://github.com/qos-ch/logback/commit/f7a0654c2b7e8e1c461e3d9e483e82ef969b5818"><code>f7a0654</code></a> prevent resolveProxyClass bypass</li> <li><a href="https://github.com/qos-ch/logback/commit/249b81f3754f1fb58f8507f244a36c7a940854c0"><code>249b81f</code></a> docs are no longer distributed</li> <li><a href="https://github.com/qos-ch/logback/commit/1c3b26a839f05b6bc1769e5a028ef326c711cec8"><code>1c3b26a</code></a> start work on 1.5.34-SNAPSHOT</li> <li><a href="https://github.com/qos-ch/logback/commit/124e8b49b55ac34d08743a0646bd463410192647"><code>124e8b4</code></a> prepare release 1.5.33</li> <li><a href="https://github.com/qos-ch/logback/commit/d8fd6f25c7f12282871164911fe423c86e2ef8f3"><code>d8fd6f2</code></a> escapeTags in message field when printing status messages</li> <li><a href="https://github.com/qos-ch/logback/commit/95edbeb8dbf53494f36324aeb7bef1825aff6cc4"><code>95edbeb</code></a> hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...</li> <li>Additional commits viewable in <a href="https://github.com/qos-ch/logback/compare/v_1.5.32...v_1.5.34">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1 parent bd8cd52 commit 04471f4

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

pom.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,7 @@ under the License.
113113
<checkstyle.failOnViolation>true</checkstyle.failOnViolation>
114114
<error_prone_core.version>2.42.0</error_prone_core.version>
115115
<checker.framework.version>4.2.0</checker.framework.version>
116-
<logback.version>1.5.32</logback.version>
116+
<logback.version>1.5.34</logback.version>
117117
<doclint>none</doclint>
118118
<additionalparam>-Xdoclint:none</additionalparam>
119119
<!-- List of add-opens arg line arguments for tests -->

0 commit comments

Comments
 (0)