Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Markus Koschany 
You could also attach the POC to this bug report. The vulnerability is
publicly known by now anyway.

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Markus Koschany 
Am 31.03.2017 um 08:10 schrieb Fabrice Dagorn:
> Hi,
> I  have made a quick and dirty POC for this issue.
> This results in a remote code execution in the JVM that exposes a
> ServerSocketReceiver.
> 
> Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.
> 
> The POC is available on demand.
> 
> Regards,
> Fabrice Dagorn

Hi,

Yes, please send the POC to a...@debian.org and describe the scenario how
you trigger this issue. Upstream still has not responded to my inquiry.
If I don't hear from then until the beginning of next week I will
backport the other commits on a best effort basis.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#859004: Bug#859107: Bug#859001: Let's remove BrowserLauncher from Stretch

2017-03-31 Thread Andreas Tille 
Hi,

On Thu, Mar 30, 2017 at 03:00:49PM +0200, Emmanuel Bourg wrote:
> I agree, BrowserLauncher was interesting before Java 6, but the Desktop
> API is good enough for most usages now.

Thanks to Ole's patch to jmodeltest which was uploaded some hours ago
I'd be even fine to remove BrowserLauncher not only from Stretch but
also from sid if it has no other reverse dependencies. 

Kind regards

  Andreas.

-- 
http://fam-tille.de

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Fabrice Dagorn 

Hi,
I  have made a quick and dirty POC for this issue.
This results in a remote code execution in the JVM that exposes a 
ServerSocketReceiver.


Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.

The POC is available on demand.

Regards,
Fabrice Dagorn

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.