Bug#857343: #857343: logback deserialization vulnerability
Markus Koschany
apo at debian.org
Tue Mar 28 07:41:30 UTC 2017
Hello security team,
apparently logback < 1.2.0 is vulnerable to a deserialization issue.
They announced it on February 8th 2017 but it appears no CVE has been
assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is
the same issue as CVE-2015-6420 but I cannot verify that at the moment.
Would you like to request a CVE id or shall I take care of it?
Regards,
Markus
[1] https://logback.qos.ch/news.html
[2]
https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170328/02b5d6da/attachment.sig>
More information about the pkg-java-maintainers
mailing list