Update logback-classic and netty dependency #2367
Assignees
Labels
Comments
ghost
added
the
|
hi @woglinde! logback-classic is being updated in #2365 it looks like Application Insights isn't affected by the netty CVE since that only affects Java 6 and older (assuming we're looking at the same one): Azure/azure-sdk-for-java#29295 we are getting netty as a transitive dependency from Azure SDK, so we'll probably plan on waiting until they update that dependency |
|
Hi @trask, thanks for looking into and yes I know both CVEs have a moderate score are not that easily useable, but some companies have a strict policy about it and always writing exception files is not fun either. |
|
it looks like Azure SDKs updated it a few days ago Azure/azure-sdk-for-java#29638, we'll pull in the latest Azure SDK dependencies as soon as it is released |
Merged
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Right now the logback-classic version is at 1.2.8 and netty is at 4.1.76. Against both CVE's with a moderate score exists, which lets secrutiy scanner like trivy or blackduck to complain about them.
Would be nice if both dependency could be updated to the latest version and a hotfix release could be made.
The text was updated successfully, but these errors were encountered: