Skip to content

fix(security): Upgrade logback-core to resolve CVE-2025-11226 #26378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

fix(security): Upgrade logback-core to resolve CVE-2025-11226 #26378

wants to merge 2 commits into from

Conversation

@nishithakbhaskaran
Copy link
Contributor

@nishithakbhaskaran nishithakbhaskaran commented Oct 21, 2025
edited
Loading

Description

Upgrade logback-core to 1.5.19 inorder to fix CVE-2025-11226

Motivation and Context

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.
  • If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade logback-core to 1.5.19  in response to `CVE-2025-11226 <https://github.com/advisories/GHSA-25qh-j22f-pwp8>`_.

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Oct 21, 2025
@nishithakbhaskaran nishithakbhaskaran force-pushed the logback-core-cve branch 4 times, most recently from 8a9cacf to ba1b043 Compare October 22, 2025 14:55
@nishithakbhaskaran nishithakbhaskaran changed the title Do Not review Test PR WIP Test PR Oct 22, 2025
@nishithakbhaskaran nishithakbhaskaran changed the title WIP Test PR chore(security): Upgrade logback-core to resolve CVE-2025-11226 Oct 27, 2025
@nishithakbhaskaran nishithakbhaskaran changed the title chore(security): Upgrade logback-core to resolve CVE-2025-11226 fix(security): Upgrade logback-core to resolve CVE-2025-11226 Oct 27, 2025
@steveburnett
Copy link
Contributor

Thanks for the release note! Please change the formatting of the link to match the example shown in Phrasing in the Release Notes Guidelines.

aaneja
aaneja reviewed Oct 29, 2025
View reviewed changes
pom.xml Outdated
<dep.commons.codec.version>1.17.1</dep.commons.codec.version>
<aws.sdk.version>2.32.9</aws.sdk.version>
<release.autoPublish>true</release.autoPublish>
<dep.logback.version>1.5.19</dep.logback.version>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you try making the change to airbase instead - https://github.com/prestodb/airbase/pull/36/files is what I had done last time

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will cause jdk 11 build failure in airlift repo.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, you're right. We still have airlift on JDK 8

@aaneja aaneja mentioned this pull request Oct 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaneja aaneja aaneja left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

from:IBM PR from IBM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nishithakbhaskaran @steveburnett @aaneja @prestodb-ci