Bug#1057423: logback: CVE-2023-6378
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 4 20:22:38 GMT 2023
On Mon, Dec 04, 2023 at 08:57:52PM +0100, Salvatore Bonaccorso wrote:
> Source: logback
> Version: 1:1.2.11-4
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> Control: found -1 1:1.2.11-3
>
> Hi,
>
> The following vulnerability was published for logback.
>
> CVE-2023-6378[0]:
> | A serialization vulnerability in logback receiver component part of
> | logback version 1.4.11 allows an attacker to mount a Denial-Of-
> | Service attack by sending poisoned data.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-6378
> https://www.cve.org/CVERecord?id=CVE-2023-6378
> [1] https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731
The fix for the 1.2.x series is
https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list