Bug#857343: liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver
Fabrice Dagorn
fabrice at dagorn.fr
Fri Mar 10 09:06:50 UTC 2017
Package: liblogback-java
Version: 1:1.1.2-1
Severity: important
Tags: upstream patch
Dear Maintainer,
logback versions in wheezy, jessie and stretch are vulnerable to a
deserialization issue.
Logback would try to deserialize data from a socket, but it can't be trusted.
Upstream mitigates this issue by adding a whitelist of allowed classes to be
deserialized.
I've prepared a patch for jessie.
Regards
-- System Information:
Debian Release: 8.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages liblogback-java depends on:
ii libslf4j-java 1.7.7-1
liblogback-java recommends no packages.
Versions of packages liblogback-java suggests:
ii glassfish-javaee 1:2.1.1-b31g+dfsg1-2
ii libjanino-java 2.7.0-2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ObjectInputStream-mitigation.patch
Type: text/x-diff
Size: 12303 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170310/f9540bfa/attachment.patch>
More information about the pkg-java-maintainers
mailing list