commit b4650f1fd04f7ffabdda71052cf153cc05676d94
author Carsten Ziegeler <cziegeler@apache.org> Fri Dec 17 17:05:36 2021 +0100
committer Carsten Ziegeler <cziegeler@apache.org> Fri Dec 17 17:05:36 2021 +0100
tree 27b12d02e6674a0d7f3b98e8d141b87dd3dedded
parent abd634f1c969ed6400bb18c71041dc969b5d60a9

SLING-11021 : Update logback to 1.2.9 for  CVE-2021-42550

pom.xml

diff --git a/pom.xml b/pom.xml
index 154efd0..5d8d258 100644
--- a/pom.xml
+++ b/pom.xml
@@ -46,7 +46,7 @@
 
   <properties>
     <slf4j.version>1.7.32</slf4j.version>
-    <logback.version>1.2.8</logback.version>
+    <logback.version>1.2.9</logback.version>
     <!-- Higher versions of pax exam cause class loading errors -->
     <pax-exam.version>4.13.2</pax-exam.version>
     <sling.java.version>8</sling.java.version>
@@ -83,6 +83,14 @@
         <groupId>biz.aQute.bnd</groupId>
         <artifactId>bnd-maven-plugin</artifactId>
       </plugin>
+      <plugin>
+        <groupId>biz.aQute.bnd</groupId>
+        <artifactId>bnd-baseline-maven-plugin</artifactId>
+        <configuration>
+          <!-- Disable for changes between logback 1.2.8 and 1.2.9 -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
       <!-- Required for pax exam-->
       <plugin>
         <groupId>org.codehaus.mojo</groupId>

src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java

diff --git a/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java b/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java
index e4e0557..e175118 100644
--- a/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java
+++ b/src/main/java/org/apache/sling/commons/log/logback/internal/LogbackManager.java
@@ -53,14 +53,12 @@
 import ch.qos.logback.classic.Level;
 import ch.qos.logback.classic.Logger;
 import ch.qos.logback.classic.LoggerContext;
-import ch.qos.logback.classic.gaffer.GafferUtil;
 import ch.qos.logback.classic.joran.JoranConfigurator;
 import ch.qos.logback.classic.jul.LevelChangePropagator;
 import ch.qos.logback.classic.spi.ILoggingEvent;
 import ch.qos.logback.classic.spi.LoggerContextAwareBase;
 import ch.qos.logback.classic.spi.LoggerContextListener;
 import ch.qos.logback.classic.turbo.TurboFilter;
-import ch.qos.logback.classic.util.EnvUtil;
 import ch.qos.logback.core.Appender;
 import ch.qos.logback.core.joran.GenericConfigurator;
 import ch.qos.logback.core.joran.event.SaxEvent;
@@ -623,15 +621,7 @@
             if (configFile.getName().endsWith("xml")) {
                 configurator.doConfigure(configFile);
             } else if (configFile.getName().endsWith("groovy")) {
-                if (EnvUtil.isGroovyAvailable()) {
-                    // avoid directly referring to GafferConfigurator so as to
-                    // avoid
-                    // loading groovy.lang.GroovyObject . See also
-                    // http://jira.qos.ch/browse/LBCLASSIC-214
-                    GafferUtil.runGafferConfiguratorOn(getLoggerContext(), this, configFile);
-                } else {
-                    addError("Groovy classes are not available on the class path. ABORTING INITIALIZATION.");
-                }
+                addError("Configuration with groogy files is not supported in logback anymore. ABORTING INITIALIZATION.");
             }
         }