On Mon, Dec 04, 2023 at 08:57:52PM +0100, Salvatore Bonaccorso wrote: > Source: logback > Version: 1:1.2.11-4 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 1:1.2.11-3 > > Hi, > > The following vulnerability was published for logback. > > CVE-2023-6378[0]: > | A serialization vulnerability in logback receiver component part of > | logback version 1.4.11 allows an attacker to mount a Denial-Of- > | Service attack by sending poisoned data. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-6378 > https://www.cve.org/CVERecord?id=CVE-2023-6378 > [1] > https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731
The fix for the 1.2.x series is https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3 Regards, Salvatore