Skip to content

Bump ch.qos.logback:logback-core from 1.5.32 to 1.5.34#300

Merged
IsaacG merged 1 commit into
mainfrom
dependabot/gradle/ch.qos.logback-logback-core-1.5.34
Jun 2, 2026
Merged

Bump ch.qos.logback:logback-core from 1.5.32 to 1.5.34#300
IsaacG merged 1 commit into
mainfrom
dependabot/gradle/ch.qos.logback-logback-core-1.5.34

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026
edited
Loading

Bumps ch.qos.logback:logback-core from 1.5.32 to 1.5.34.

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

• When processing <conversionRule> elements and both class and converterClass attributes are specified, silently use the class attribute without issuing a warning. However, if the attribute values differ, a warning will be issued. This change was requested in issues/1031.

HardenedModelInputStream will no longer accept to deserialize all classes located under the "java.lang" and "java.util" packages but a limited number of explicitly authorized classes in those packages. This potential deserialization whitelist bypass vulnerability was reported by York Shen and registered as CVE-2026-9828.

• SSL parameters for SSLSocketAppender now enable hostname verification by default. Moreover, the default protocol is now "TLSv1.2". This potential vulnerability was reported by York Shen.

• When printing the status message field, ViewStatusMessagesServletBase now escapes special characters such as "&" as character entities. This potential vulnerability was reported by York Shen.

• A bit-wise identical binary of this version can be reproduced by building from source code at commit 124e8b49b55ac34d08743a0646bd463410192647 associated with the tag v_1.5.33. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • e62272a prepare release 1.5.34
  • 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
  • 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
  • 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
  • f7a0654 prevent resolveProxyClass bypass
  • 249b81f docs are no longer distributed
  • 1c3b26a start work on 1.5.34-SNAPSHOT
  • 124e8b4 prepare release 1.5.33
  • d8fd6f2 escapeTags in message field when printing status messages
  • 95edbeb hostnameVerification default to true in SSLParametersConfiguration, SSL.DEFAU...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added the x:size/small Small amount of work label Jun 2, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 2, 2026 12:00
@dependabot dependabot Bot added the x:size/small Small amount of work label Jun 2, 2026
@dependabot
Bump ch.qos.logback:logback-core from 1.5.32 to 1.5.34
72812eb 
Bumps [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) from 1.5.32 to 1.5.34.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.32...v_1.5.34)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-core
  dependency-version: 1.5.34
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/gradle/ch.qos.logback-logback-core-1.5.34 branch from 4538a49 to 72812eb Compare June 2, 2026 16:02
@IsaacG IsaacG merged commit 8dfe72f into main Jun 2, 2026
2 checks passed
@IsaacG IsaacG deleted the dependabot/gradle/ch.qos.logback-logback-core-1.5.34 branch June 2, 2026 16:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IsaacG IsaacG IsaacG approved these changes

@jagdish-15 jagdish-15 jagdish-15 approved these changes

Assignees

No one assigned

Labels

x:size/small Small amount of work

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IsaacG @jagdish-15