fix(security): Upgrade logback dependency to address CVE-2026-1225

[Nandakumar-Balagopal]

Description

Upgrade logback-core and logback-classic dependencies to 1.5.25 to address CVE-2026-1225.

Motivation and Context

Impact

Test Plan

• Local Load Test: Passed (Ran for ~1 hr, stable).
• Security Scan: Verified image scan is clean (vulnerability is resolved).

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.
• If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade logback-core and logback-classic to 1.5.25 in response to CVE-2026-1225 <https://github.com/advisories/GHSA-qqpg-mvqg-649v>_.

[steveburnett]

Thanks for the release note! Nit of formatting:

== RELEASE NOTES ==

Security Changes
* Upgrade logback-core and logback-classic to 1.5.25 in response to `CVE-2026-1225 <https://github.com/advisories/GHSA-qqpg-mvqg-649v>`_.

[imjalpreet]

@Nandakumar-Balagopal, I just had a quick look, both logback-core and logback-classic are coming from airbase (parent of airlift and presto): https://github.com/prestodb/airbase/blob/eaeb1ee9f27ad03b76390dfb75bb5561d41d22f0/airbase/pom.xml#L1054-L1063.

We should upgrade these dependencies in airbase.