The Pdfsam website mentions that the vulnerabilities discovered impacts not only log4j2, but also log4j1 ang logback. https://blog.pdfsam.org/pdfsam-basic/pdfsam-and-log4j2-vulnerability/2286/ The Qos website indicates that in fact the vulnerabilty has been fixed first in logback 1.2.8, the in 1.2.9
Debian stable has logback 1.2.3, testing has 1.2.8, unstable has 1.2.10 So, would a bug be open to ask 1.2.10 in stable?
