When will the new version with improved CVE-2021-42550 vulnerability be released?

[dongdorrong]

The latest version 7.0.1 is also confirmed to have the CVE-2021-42550 vulnerability. So I wonder when the improved version will be released.

https://mvnrepository.com/artifact/net.logstash.logback/logstash-logback-encoder/7.0.1

[philsttr]

We're working on the next version of logstash-logback-encoder, but do not have an expected release date.

In the meantime, logstash-logback-encoder 7.0.1 is compatible with logback 1.2.10. You can explicitly specify logback 1.2.10 in your applications to resolve the logback CVE.

[dongdorrong]

Additionally, which version of logstash-logback-encoder is compatible with logback 1.2.10 version?

[philsttr]

logstash-logback-encoder 6.x and 7.x are compatible with logback 1.2.10.

However, I recommend using logstash-logback-encoder 7.0.1

[dongdorrong]

Is logstash-logback-encoder 5.3 compatible with logback 1.2.10?

In addition, even if the logstash-logback-encoder version is low, I wonder if the vulnerability can be corrected by applying the latest logback.

Because it is not possible to modify the current application code immediately.

[dongdorrong]

One last question I would like to ask.
I wonder what you mean by saying that logback and logstash-logback-encoder are compatible.

Whether logback can be used instead of logstash-logback-encoder, or can logback be used at the same time when using logstash?

[philsttr]

logstash-logback-encoder requires logback.

Each logstash-logback-encoder version is compiled and tested against a specific version of logback.

However, logstash-logback-encoder will work with newer versions of logback if all the features of logback that logstash-logback-encoder uses are backwards compatible with the version of logback that logstash-logback-encoder was compiled and tested against.

Therefore, since logback-logback-encoder 5.3 was compiled and tested against logback 1.2.3, and logback 1.2.10 is backwards compatible with logback 1.2.3 for the features that logstash-logback-encoder uses, then logstash-logback-encoder 5.3. should work with logback 1.2.10.