Bug#857343: #857343: logback deserialization vulnerability
Sébastien Delafond
seb at debian.org
Tue Mar 28 08:51:09 UTC 2017
On Mar/28, Markus Koschany wrote:
> apparently logback < 1.2.0 is vulnerable to a deserialization issue.
> They announced it on February 8th 2017 but it appears no CVE has been
> assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is
> the same issue as CVE-2015-6420 but I cannot verify that at the moment.
> Would you like to request a CVE id or shall I take care of it?
It's fine if you take care of it (and loop back to oss-sec once it's
assigned). Thanks a lot !
Cheers,
--Seb
More information about the pkg-java-maintainers
mailing list