[Git][security-tracker-team/security-tracker][master] Update information on logback issues
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Dec 4 20:23:38 GMT 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
5be33738 by Salvatore Bonaccorso at 2023-12-04T21:22:47+01:00
Update information on logback issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,5 +1,7 @@
CVE-2023-6481 (A serialization vulnerability in logback receiver component part of l ...)
- TODO: check
+ - logback <not-affected> (Incomplte fix not applied)
+ NOTE: https://logback.qos.ch/news.html#1.3.14
+ NOTE: https://logback.qos.ch/news.html#1.2.13
CVE-2023-6460 (A potential logging of the firestore key via logging within nodejs-fir ...)
TODO: check
CVE-2023-5768 (A vulnerability exists in the HCI IEC 60870-5-104 that affects the RTU ...)
@@ -889,8 +891,11 @@ CVE-2023-6378 (A serialization vulnerability in logback receiver component part
[buster] - logback <postponed> (Minor issue, DoS)
NOTE: https://logback.qos.ch/news.html#1.3.12
NOTE: Fixed by: https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731 (v_1.3.12)
+ NOTE: Fixed by: https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3 (v_1.2.13)
NOTE: Only exploitable if logback receiver component is deployed:
NOTE: https://logback.qos.ch/manual/receivers.html
+ NOTE: When fixing the issue make sure to to not introduce CVE-2023-6481 which is
+ NOTE: assigned for an incomplete fix for CVE-2023-6378.
CVE-2023-6218 (In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9) ...)
NOT-FOR-US: Progress MOVEit Transfer
CVE-2023-6217 (In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9) ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5be33738cc3cc5e9740041dceab10784578571fa
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5be33738cc3cc5e9740041dceab10784578571fa
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231204/2afa7cb8/attachment.htm>
More information about the debian-security-tracker-commits
mailing list