Bug#858914: CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

On Tue, Mar 28, 2017 at 05:48:16PM +0200, Markus Koschany wrote: > Control: forcemerge 857343 858914 > > Am 28.03.2017 um 17:38 schrieb Guido Günther: > > Package: logback > > Severity: grave > > Tags: security > > > > Hi, > > > > the following vulnerability was published for logback. > > > >

Smart TV LED 55" Samsung KU6000 Ultra HD 4K com Conversor Digital 2 USB 3 HDMI 60Hz - 29/03/2017 04:48:16

Title: Americananas Número do Controle: 688082902 Prezado Cliente: pkg-java-maintainers@lists.alioth.debian.org Americanas.com - Recebemos seu pedido

reproducible.debian.net status changes for openjfx

2017-03-28 06:29 https://tests.reproducible-builds.org/debian/unstable/amd64/openjfx changed from FTBFS -> unreproducible __ This is the maintainer address of Debian's Java team . Please use

Bug#857343: #857343: logback deserialization vulnerability

Am 28.03.2017 um 20:02 schrieb Salvatore Bonaccorso: > Hi Markus, > > On Tue, Mar 28, 2017 at 05:51:38PM +0200, Markus Koschany wrote: >> Am 28.03.2017 um 10:54 schrieb Salvatore Bonaccorso: [...] >> Thank you. I am going to fix this bug in a few minutes. Do you think >> this bug warrants a DSA

Bug#857343: #857343: logback deserialization vulnerability

Hi Markus, On Tue, Mar 28, 2017 at 05:51:38PM +0200, Markus Koschany wrote: > Am 28.03.2017 um 10:54 schrieb Salvatore Bonaccorso: > [...] > > There apparently was a mistake on triaging CVE-2017-5929. > > > > This should be: > > https://security-tracker.debian.org/tracker/CVE-2017-5929 > > > >

Processed: Re: Bug#851430: CVE-2016-9571

Processing control commands: > retitle -1 resteasy: CVE-2016-9606 Bug #851430 [src:resteasy] CVE-2016-9571 Changed Bug title to 'resteasy: CVE-2016-9606' from 'CVE-2016-9571'. -- 851430: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851430 Debian Bug Tracking System Contact

Bug#851430: CVE-2016-9571

Control: retitle -1 resteasy: CVE-2016-9606 Just a heads up: apparently the CVE was double-assigned, the correct CVE turns out to be CVE-2016-9606. Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1400644#c17 Regards, Salvatore __ This is the maintainer address of Debian's Java team

Bug#858876: libjna-jni: causes NoClassDefFoundError

Hi Emmanuel, On Tue, Mar 28, 2017 at 4:47 PM, Emmanuel Bourg wrote: > Thank you for the report. The symlink was in the same directory? What > JRE did you use? Yes, in the same directory. I use openjdk-8-jre:i386. Regards, -- YOSHINO Yoshihito __ This

Bug#858914: marked as done (CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver)

Your message dated Tue, 28 Mar 2017 16:04:57 + with message-id and subject line Bug#857343: fixed in logback 1:1.1.9-2 has caused the Debian Bug report #857343, regarding CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

Bug#857343: marked as done (logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components)

Your message dated Tue, 28 Mar 2017 16:04:57 + with message-id and subject line Bug#857343: fixed in logback 1:1.1.9-2 has caused the Debian Bug report #857343, regarding logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and

logback_1.1.9-2_source.changes ACCEPTED into unstable

Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 28 Mar 2017 17:22:37 +0200 Source: logback Binary: liblogback-java liblogback-java-doc Architecture: source Version: 1:1.1.9-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers

Processing of logback_1.1.9-2_source.changes

logback_1.1.9-2_source.changes uploaded successfully to localhost along with the files: logback_1.1.9-2.dsc logback_1.1.9-2.debian.tar.xz logback_1.1.9-2_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) __ This is the maintainer address of

Processed (with 1 error): forcibly merging 857343 858914

Processing commands for cont...@bugs.debian.org: > forcemerge 857343 858914 Bug #857343 [liblogback-java] logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components Unable to merge bugs because: package of #858914 is 'logback' not

Bug#857343: #857343: logback deserialization vulnerability

Am 28.03.2017 um 10:54 schrieb Salvatore Bonaccorso: [...] > There apparently was a mistake on triaging CVE-2017-5929. > > This should be: > https://security-tracker.debian.org/tracker/CVE-2017-5929 > > I fixed the tracker entry and it should display the correct > information on the next update.

Processed: reassign and merge with #857343

Processing commands for cont...@bugs.debian.org: > reassign 858914 liblogback-java Bug #858914 [logback] CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver Bug reassigned from package 'logback' to 'liblogback-java'. Ignoring request to alter found versions of bug

Bug#858914: CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

Control: forcemerge 857343 858914 Am 28.03.2017 um 17:38 schrieb Guido Günther: > Package: logback > Severity: grave > Tags: security > > Hi, > > the following vulnerability was published for logback. > > CVE-2017-5929[0]: > | QOS.ch Logback before 1.2.0 has a serialization vulnerability

Processed (with 1 error): Re: Bug#858914: CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

Processing control commands: > forcemerge 857343 858914 Bug #857343 [liblogback-java] logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components Unable to merge bugs because: package of #858914 is 'logback' not 'liblogback-java' Failed to

Bug#858914: CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

Package: logback Severity: grave Tags: security Hi, the following vulnerability was published for logback. CVE-2017-5929[0]: | QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting | the SocketServer and ServerSocketReceiver components. If you fix the vulnerability please

Bug#858876: libjna-jni: causes NoClassDefFoundError

Le 28/03/2017 à 07:41, YOSHINO Yoshihito a écrit : > Workaround: Creating a symlink libjnidispatch.so -> libjnidispatch.system.so > fixes this error. Hi, Thank you for the report. The symlink was in the same directory? What JRE did you use? Emmanuel Bourg __ This is the maintainer address of

Processed: Re: #857343: logback deserialization vulnerability

Processing control commands: > retitle -1 logback: CVE-2017-5929: serialization vulnerability affecting the > SocketServer and ServerSocketReceiver components Bug #857343 [liblogback-java] liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver Changed Bug

Bug#857343: #857343: logback deserialization vulnerability

Control: retitle -1 logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components Hi Markus, On Tue, Mar 28, 2017 at 09:41:30AM +0200, Markus Koschany wrote: > Hello security team, > > apparently logback < 1.2.0 is vulnerable to a

Bug#857343: #857343: logback deserialization vulnerability

On Mar/28, Markus Koschany wrote: > apparently logback < 1.2.0 is vulnerable to a deserialization issue. > They announced it on February 8th 2017 but it appears no CVE has been > assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is > the same issue as CVE-2015-6420 but I cannot

Bug#857343: #857343: logback deserialization vulnerability

Hello security team, apparently logback < 1.2.0 is vulnerable to a deserialization issue. They announced it on February 8th 2017 but it appears no CVE has been assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is the same issue as CVE-2015-6420 but I cannot verify that at the