Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

You could also attach the POC to this bug report. The vulnerability is publicly known by now anyway. Markus signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Am 31.03.2017 um 08:10 schrieb Fabrice Dagorn: > Hi, > I have made a quick and dirty POC for this issue. > This results in a remote code execution in the JVM that exposes a > ServerSocketReceiver. > > Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x. > > The POC is available on

Bug#859004: Bug#859107: Bug#859001: Let's remove BrowserLauncher from Stretch

Hi, On Thu, Mar 30, 2017 at 03:00:49PM +0200, Emmanuel Bourg wrote: > I agree, BrowserLauncher was interesting before Java 6, but the Desktop > API is good enough for most usages now. Thanks to Ole's patch to jmodeltest which was uploaded some hours ago I'd be even fine to remove BrowserLauncher

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Hi, I have made a quick and dirty POC for this issue. This results in a remote code execution in the JVM that exposes a ServerSocketReceiver. Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x. The POC is available on demand. Regards, Fabrice Dagorn __ This is the maintainer