On Mar/28, Markus Koschany wrote: > apparently logback < 1.2.0 is vulnerable to a deserialization issue. > They announced it on February 8th 2017 but it appears no CVE has been > assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is > the same issue as CVE-2015-6420 but I cannot verify that at the moment. > Would you like to request a CVE id or shall I take care of it?
It's fine if you take care of it (and loop back to oss-sec once it's assigned). Thanks a lot ! Cheers, --Seb