Bug#857343: closed by Markus Koschany <apo at debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Fabrice Dagorn fabrice at dagorn.fr
Fri Mar 31 06:10:59 UTC 2017

Previous message: Bug#857343: closed by Markus Koschany <apo at debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Next message: Bug#857343: closed by Markus Koschany <apo at debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
I  have made a quick and dirty POC for this issue.
This results in a remote code execution in the JVM that exposes a 
ServerSocketReceiver.

Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.

The POC is available on demand.

Regards,
Fabrice Dagorn

Previous message: Bug#857343: closed by Markus Koschany <apo at debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Next message: Bug#857343: closed by Markus Koschany <apo at debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the pkg-java-maintainers mailing list