Fix security issue CVE-2023-6378

bot-by · Dec 20, 2023 · c27c097 · c27c097
1 parent 88ad670
commit c27c097
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/changelog.md b/changelog.md
@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 1.1.1 - 2023-12-20
+### Security
+- CVE-2023-6378: A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
+
 ## 1.1.0 - 2023-12-20
 ### Added
 - The proxy feature

diff --git a/pom.xml b/pom.xml
@@ -518,7 +518,7 @@
     <mockito.version>5.8.0</mockito.version>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <revision>1.1.0</revision>
+    <revision>1.1.1</revision>
     <sha1/>
   </properties>
   <scm>

diff --git a/spring-boot-test/pom.xml b/spring-boot-test/pom.xml
@@ -90,6 +90,16 @@
       <groupId>org.springframework.boot</groupId>
       <version>3.2.0</version>
     </dependency>
+    <dependency>
+      <!--
+        CVE-2023-6378: A serialization vulnerability in
+        logback receiver component part of logback version 1.4.11 allows an attacker
+        to mount a Denial-Of-Service attack by sending poisoned data.
+      -->
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-classic</artifactId>
+      <version>1.4.14</version>
+    </dependency>
     <dependency>
       <artifactId>spring-boot-configuration-processor</artifactId>
       <groupId>org.springframework.boot</groupId>