Skip to content

Commit

Permalink
[Manual backport of #4049] Force logback to version 1.2.13 to resolve C…
Browse files Browse the repository at this point in the history
…VE-2023-6378 (#4051)

### Description
This change forces is a manual backport of the same type of change in
#4049 . Instead of excluding the the logback-classic and logback-core
transient dependencies we now just force them to be versions 1.2.13.
This resolves CVE-2023-6378

### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Stephen Crawford <[email protected]>
  • Loading branch information
stephen-crawford authored Feb 15, 2024
1 parent 18ba96e commit c2247df
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ configurations.all {
force "org.apache.bcel:bcel:6.6.0" // This line should be removed once Spotbugs is upgraded to 4.7.4
force "org.xerial.snappy:snappy-java:1.1.10.5"
force "org.apache.zookeeper:zookeeper:3.9.1"
force "ch.qos.logback:logback-core:1.2.13"
force "ch.qos.logback:logback-classic:1.2.13"
}
}
Expand Down

0 comments on commit c2247df

Please sign in to comment.