Bug#857343: closed by Markus Koschany <apo at debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Markus Koschany
apo at debian.org
Fri Mar 31 12:08:46 UTC 2017
Am 31.03.2017 um 08:10 schrieb Fabrice Dagorn:
> Hi,
> I have made a quick and dirty POC for this issue.
> This results in a remote code execution in the JVM that exposes a
> ServerSocketReceiver.
>
> Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.
>
> The POC is available on demand.
>
> Regards,
> Fabrice Dagorn
Hi,
Yes, please send the POC to apo at debian.org and describe the scenario how
you trigger this issue. Upstream still has not responded to my inquiry.
If I don't hear from then until the beginning of next week I will
backport the other commits on a best effort basis.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170331/2c74ced3/attachment.sig>
More information about the pkg-java-maintainers
mailing list