2026-01-17 Release of logback version 1.5.25
• When processing configuration files, logback-core will now only instantiate components compatible with the class expected by the encapsulating class. This fixes an ACE vulnerability recorded as CVE-2026-1225.
• In configuration files, referencing a single undeclared appender would cause all referenced appenders to be skipped. This issue was discovered in issues/997.
• Added VersionUtil class to logback-core. This utility class checks for version compatibility issues and alerts the user if need be.
• Added EpochConverter to output milliseconds/seconds since epoch. This enhancement was requested by Duncan Jauncey in issues/1000 who also provided the relevant implementation PR.
• A bit-wise identical binary of this version can be reproduced by building from source code at commit f426e00 associated with the tag v_1.5.25. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.