Bug#857343: #857343: logback deserialization vulnerability
Salvatore Bonaccorso
carnil at debian.org
Tue Mar 28 08:54:37 UTC 2017
Control: retitle -1 logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components
Hi Markus,
On Tue, Mar 28, 2017 at 09:41:30AM +0200, Markus Koschany wrote:
> Hello security team,
>
> apparently logback < 1.2.0 is vulnerable to a deserialization issue.
> They announced it on February 8th 2017 but it appears no CVE has been
> assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is
> the same issue as CVE-2015-6420 but I cannot verify that at the moment.
> Would you like to request a CVE id or shall I take care of it?
There apparently was a mistake on triaging CVE-2017-5929.
This should be:
https://security-tracker.debian.org/tracker/CVE-2017-5929
I fixed the tracker entry and it should display the correct
information on the next update.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list