Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-04-01 Thread Fabrice Dagorn
The POC is a simple Eclipse java project. UnsafeReceiver will open a ServerSocketReceiver on port and wait forever. Injector will then open a client Socket to the ServerSocketReceiver and serialize a Calculator instance through the wire. Calculator implements ILoggingEvent to prevent

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Fabrice Dagorn
Hi, I have made a quick and dirty POC for this issue. This results in a remote code execution in the JVM that exposes a ServerSocketReceiver. Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x. The POC is available on demand. Regards, Fabrice Dagorn __ This is the maintainer

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-29 Thread Fabrice Dagorn
/979b042cb1f0b4c1e5869ccc8912e68c39f769f9 Fabrice Dagorn Le 28/03/2017 à 18:09, Debian Bug Tracking System a écrit : This is an automatic notification regarding your Bug report which was filed against the liblogback-java package: #857343: logback: CVE-2017-5929: serialization vulnerability affecting

Bug#857343: (no subject)

2017-03-23 Thread Fabrice Dagorn
Dear Maintainer, it's a serious security bug IMO, feel free to switch back to important if you disagree. __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org for

Bug#857343: liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver

2017-03-10 Thread Fabrice Dagorn
CVE-2015-6420 is for Apache Commons, but this is the same issue. Le 10/03/2017 à 10:15, Emmanuel Bourg a écrit : Hi Fabrice, Thank you for the report. Do you know if there is a CVE ID assigned to this vulnerability? Emmanuel Bourg __ This is the maintainer address of Debian's Java team

Bug#857343: (no subject)

2017-03-10 Thread Fabrice Dagorn
tags security __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org for discussions and questions.

Bug#857343: liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver

2017-03-10 Thread Fabrice Dagorn
Package: liblogback-java Version: 1:1.1.2-1 Severity: important Tags: upstream patch Dear Maintainer, logback versions in wheezy, jessie and stretch are vulnerable to a deserialization issue. Logback would try to deserialize data from a socket, but it can't be trusted. Upstream mitigates this