Logback Vulnerability Priority

tsuyoshizawa · December 20, 2021, 3:53pm

Play Framework uses Logback as its standard logging library instead of log4j2.

Logback has also been released to address the vulnerability, although log4j2 has been spared from addressing the more urgent vulnerability. http://logback.qos.ch/news.html

Are you planning to release a version that supports these in the near future?
Or is there a policy for an emergency release with the latest version applied?

Many projects support this by overriding their own version of the Logback library. It is good for all Play Framework users that Play Framework releases with the latest version of Logback applied.

mkurz · December 20, 2021, 4:21pm

Hi!
I am planning to release Play 2.8.12 this week, including latest logback.
See 2.8.12 Milestone · GitHub

tsuyoshizawa · December 20, 2021, 4:45pm

That’s great news. I’m looking forward to the new version.
Thank you for all your support for Play.

Topic		Replies	Views
Move away from Logback and slf4j? Play Framework	3	1702	March 23, 2021
Update Play framework with Log4j 2.15.0 dependency Play Framework java	1	1393	December 29, 2021
Regarding the log4j2 vulnerability, CVE-2021-44228 Akka security	5	14344	December 16, 2021
Play logback doesnt work when explicit logback dependency is on classpath Play Framework	3	811	October 20, 2018
Configure logback config from Play application.conf Play Framework	0	961	August 31, 2018

Logback Vulnerability Priority

Related Topics