Skip to content

Bump ch.qos.logback:logback-core from 1.5.33 to 1.5.35#164

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/maven/ch.qos.logback-logback-core-1.5.35
Open

Bump ch.qos.logback:logback-core from 1.5.33 to 1.5.35#164
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/maven/ch.qos.logback-logback-core-1.5.35

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Bumps ch.qos.logback:logback-core from 1.5.33 to 1.5.35.

Release notes

Sourced from ch.qos.logback:logback-core's releases.

Logback 1.5.35

026-06-23 Release of logback version 1.5.35

• The 'condition' attribute in <if> elements now rejects unicode escape sequences (\u and \U). This closes a bypass of the existing prohibition on the new operator in Janino-evaluated conditions. This issue was reported by IcySun (icysun@qq.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• Added ConfiguratorRank.AUTHENTICATING (rank 100), the highest configurator rank, for certified/authenticating configurators discovered via the ServiceLoader mechanism. ContextInitializer now requires that at most one such configurator exist on the classpath; if more than one is found, initialization aborts with an error.

ConsoleCharsetPropertyDefiner is no longer shipped. The Java 21 multi-release compilation of logback-core has been disabled, which removes this class from the published artifact. Configurations that referenced ch.qos.logback.core.property.ConsoleCharsetPropertyDefiner will need an alternative approach for console charset detection.

• The logback-examples module is now included in artifacts published to Maven Central.

JoranConfigurator.makeAnotherInstance() and DefaultJoranConfigurator.performMultiStepConfigurationFileSearch() are now protected, allowing derived configurators to override these methods.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 08bd1598d565d83444f72983935e7da4746783b7 associated with the tag v_1.5.35. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits
  • 08bd159 preapre release 1.5.35
  • 37d256b indentation changes only
  • d3d7307 minor comment
  • fa0411a radomize file location
  • 834fdba disable consoleCharset test
  • 42eabc3 fix messages in IfModelHandler
  • 347efc8 add unicode escape prevention
  • 1b6ba73 allow derived classes to override makeAnotherInstance
  • 340e8be check for unicode escape codes in Janino conditions
  • 4468f5e adding support for certifying configurators
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 10, 2026
Bumps [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) from 1.5.33 to 1.5.35.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.33...v_1.5.35)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-core
  dependency-version: 1.5.35
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/maven/ch.qos.logback-logback-core-1.5.35 branch from c384936 to 6f1ebbd Compare July 11, 2026 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants