Bug#1126748: logback: CVE-2026-1225
Salvatore Bonaccorso
carnil at debian.org
Sun Feb 1 07:48:39 GMT 2026
Source: logback
Version: 1:1.2.11-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi Tony and Java maintainers team,
The following vulnerability was published for logback.
I'm not certain that is affecting the older version we have, please
check ideally provide back if you find where the issue has been
introduced. OTOH the issue might be considered minor? If you can
isolate the fixing commit from 1.5.25 that would be great.
CVE-2026-1225[0]:
| ACE vulnerability in configuration file processing by QOS.CH
| logback-core up to and including version 1.5.24 in Java
| applications, allows an attacker to instantiate classes already
| present on the class path by compromising an existing logback
| configuration file. The instantiation of a potentially malicious
| Java class requires that said class is present on the user's class-
| path. In addition, the attacker must have write access to a
| configuration file. However, after successful instantiation, the
| instance is very likely to be discarded with no further ado.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-1225
https://www.cve.org/CVERecord?id=CVE-2026-1225
[1] https://logback.qos.ch/news.html#1.5.25
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list