Your message dated Wed, 28 Mar 2018 10:21:05 +0000 with message-id <e1f18cx-0004r8...@fasolo.debian.org> and subject line Bug#893684: fixed in libslf4j-java 1.7.25-3 has caused the Debian Bug report #893684, regarding libslf4j-java: CVE-2018-8088: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 893684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893684 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libslf4j-java Version: 1.7.25-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://jira.qos.ch/browse/SLF4J-430 Control: found -1 1.7.7-1 Hi, the following vulnerability was published for libslf4j-java. CVE-2018-8088[0]: | org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before | 1.8.0-beta2 allows remote attackers to bypass intended access | restrictions via crafted data. Unfortunately upstream does not tell us much on the security issue. [1] itself and the subtask [2] only tells us that the EventData is going to be marked first as deprecated (then removed) "due to a security vulnerability" [3]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-8088 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088 [1] https://jira.qos.ch/browse/SLF4J-430 [2] https://jira.qos.ch/browse/SLF4J-430 [3] https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405 Please adjust the affected versions in the BTS as needed. that all earlier versions are affected. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libslf4j-java Source-Version: 1.7.25-3 We believe that the bug you reported is fixed in the latest version of libslf4j-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 893...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libslf4j-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 28 Mar 2018 11:48:23 +0200 Source: libslf4j-java Binary: libslf4j-java Architecture: source Version: 1.7.25-3 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libslf4j-java - Simple Logging Facade for Java Closes: 889393 893684 Changes: libslf4j-java (1.7.25-3) unstable; urgency=medium . * Team upload. * Fix CVE-2018-8088: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution. The EventData class was completely removed due to security concerns. (Closes: #893684) * Use compat level 11. * Remove Damien Raude-Morvan from Uploaders. (Closes: #889393) * Use https for Format field. * Declare compliance with Debian Policy 4.1.3. Checksums-Sha1: b80aeb29ff97c901549b97db389cd796226dea44 2378 libslf4j-java_1.7.25-3.dsc 3770b48130454fa89d7f4ca679dfd52132d68817 8724 libslf4j-java_1.7.25-3.debian.tar.xz 503d82365923873d2352cc2df0d3e06695660bda 15110 libslf4j-java_1.7.25-3_source.buildinfo Checksums-Sha256: ff1c431ddd10085bf2f6825c90ff23383eccc1ca7dfda70e05a229d094907b97 2378 libslf4j-java_1.7.25-3.dsc eb7f8f21436691747f17ecbf8f0840f40249a2ef1d0c1fa2777a79a70f094200 8724 libslf4j-java_1.7.25-3.debian.tar.xz 749b07880689a4f0e0de4b4c870d25eb186b71c696a83103bc81b7f1d06fff74 15110 libslf4j-java_1.7.25-3_source.buildinfo Files: 18b85bd100a6af1510761c8ae501fc88 2378 java optional libslf4j-java_1.7.25-3.dsc f181e0a25fd7f1d0d5878c81b4d5608b 8724 java optional libslf4j-java_1.7.25-3.debian.tar.xz 9af815f0744e3500dfcc34a1b4e4a158 15110 java optional libslf4j-java_1.7.25-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlq7Z3RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk1dYP/2wy9At1pHOcWrhUe8v+77v1JWR+qmnuBNY2 gUUxmCL7NhUWnnRxERUGKrwSrzd2kGdIh1ASXPaydinKYvcMnBu8YzTJRHy8oxh8 iehuDtJpgKi/tX+RtSmpuwgxeC/jxXe1Duxb7bAjMmg3FNvy8o5lQ6ZEcuqP34f3 pfd6EdzSv7tKYhOk7Fcc8L+91PvFTFGq3kgaZoFS6sQ75t7lkHO2onY+SWPsaptY 2tPWJD0Q9oC38Yy2OJhwAA3jisjf/4z0qo9iADwFF1Av6sF5tEAbdsQW7nhG0acN qdcjldQEWp7jfzItwXutVNLFMBsLKXx5CRhKcnfrGqq3gnBdNdk7H8RIpLP6zzGH 2vNOae/9+36sUQmr5ru2TQ+pvcVvQzYiq/JXiL3INPDc6sjqyjhItipZgNMC3WGe aXvFp1JeHqayGs1hC26irnCgPv1yt0xl1eS/2sL2Inv2qSgKdTOeWkZixpepwuQ6 BAlvvAXTWlatt+Y13emCOkS12eNVsikkUc/BQI6VbtUVI6C51dkI3B60/oCz8HNx 6qOBp5dp1keZT84ok5VxEsPWcZWIJBybO4Ipzbb8eEy9DNGrUvnnUZh8LhmJAbqc FJz0W+mjYvafS8eF27Tf+d4ahXTQ/ZV6FtXkH4BmT358mFrJL0SeIX0UvLP2nFyf fr6YSE70 =C7fO -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
