Hello security team, apparently logback < 1.2.0 is vulnerable to a deserialization issue. They announced it on February 8th 2017 but it appears no CVE has been assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is the same issue as CVE-2015-6420 but I cannot verify that at the moment. Would you like to request a CVE id or shall I take care of it?
Regards, Markus [1] https://logback.qos.ch/news.html [2] https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
