SLING-11021 : Update logback to 1.2.9 for CVE-2021-42550
diff --git a/pom.xml b/pom.xml
index 154efd0..5d8d258 100644
--- a/pom.xml
+++ b/pom.xml
@@ -46,7 +46,7 @@
<properties>
<slf4j.version>1.7.32</slf4j.version>
- <logback.version>1.2.8</logback.version>
+ <logback.version>1.2.9</logback.version>
<!-- Higher versions of pax exam cause class loading errors -->
<pax-exam.version>4.13.2</pax-exam.version>
<sling.java.version>8</sling.java.version>
@@ -83,6 +83,14 @@
<groupId>biz.aQute.bnd</groupId>
<artifactId>bnd-maven-plugin</artifactId>
</plugin>
+ <plugin>
+ <groupId>biz.aQute.bnd</groupId>
+ <artifactId>bnd-baseline-maven-plugin</artifactId>
+ <configuration>
+ <!-- Disable for changes between logback 1.2.8 and 1.2.9 -->
+ <skip>true</skip>
+ </configuration>
+ </plugin>
<!-- Required for pax exam-->
<plugin>
<groupId>org.codehaus.mojo</groupId>
diff --git a/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java b/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java
index e4e0557..e175118 100644
--- a/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java
+++ b/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java
@@ -53,14 +53,12 @@
import ch.qos.logback.classic.Level;
import ch.qos.logback.classic.Logger;
import ch.qos.logback.classic.LoggerContext;
-import ch.qos.logback.classic.gaffer.GafferUtil;
import ch.qos.logback.classic.joran.JoranConfigurator;
import ch.qos.logback.classic.jul.LevelChangePropagator;
import ch.qos.logback.classic.spi.ILoggingEvent;
import ch.qos.logback.classic.spi.LoggerContextAwareBase;
import ch.qos.logback.classic.spi.LoggerContextListener;
import ch.qos.logback.classic.turbo.TurboFilter;
-import ch.qos.logback.classic.util.EnvUtil;
import ch.qos.logback.core.Appender;
import ch.qos.logback.core.joran.GenericConfigurator;
import ch.qos.logback.core.joran.event.SaxEvent;
@@ -623,15 +621,7 @@
if (configFile.getName().endsWith("xml")) {
configurator.doConfigure(configFile);
} else if (configFile.getName().endsWith("groovy")) {
- if (EnvUtil.isGroovyAvailable()) {
- // avoid directly referring to GafferConfigurator so as to
- // avoid
- // loading groovy.lang.GroovyObject . See also
- // http://jira.qos.ch/browse/LBCLASSIC-214
- GafferUtil.runGafferConfiguratorOn(getLoggerContext(), this, configFile);
- } else {
- addError("Groovy classes are not available on the class path. ABORTING INITIALIZATION.");
- }
+ addError("Configuration with groogy files is not supported in logback anymore. ABORTING INITIALIZATION.");
}
}