Your message dated Tue, 28 Mar 2017 16:04:57 +0000 with message-id <e1cstc9-000cd5...@fasolo.debian.org> and subject line Bug#857343: fixed in logback 1:1.1.9-2 has caused the Debian Bug report #857343, regarding CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: logback Severity: grave Tags: security Hi, the following vulnerability was published for logback. CVE-2017-5929[0]: | QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting | the SocketServer and ServerSocketReceiver components. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-5929 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: logback Source-Version: 1:1.1.9-2 We believe that the bug you reported is fixed in the latest version of logback, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 857...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated logback package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 Mar 2017 17:22:37 +0200 Source: logback Binary: liblogback-java liblogback-java-doc Architecture: source Version: 1:1.1.9-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: liblogback-java - flexible logging library for Java liblogback-java-doc - flexible logging library for Java - documentation Closes: 857343 Changes: logback (1:1.1.9-2) unstable; urgency=medium . * Team upload. * Fix CVE-2017-5929: It was discovered that logback, a flexible logging library for Java, would deserialize data from untrusted sockets. This issue has been resolved by adding a whitelist to use only trusted classes. (Closes: #857343) Thanks to Fabrice Dagorn for the report. Checksums-Sha1: a80b2a96a5fe7440e3cf05ca649ce843f956bd17 2408 logback_1.1.9-2.dsc 54688b6b588ed58d126314e1b23fcdd6d1f2bebd 12144 logback_1.1.9-2.debian.tar.xz 33f35fb43eaf21b32e7f83620cf68df8a4e846c1 15154 logback_1.1.9-2_amd64.buildinfo Checksums-Sha256: 99c01932556306755697497c172bb0cb6a9b100915fae43a41cfb7105289c260 2408 logback_1.1.9-2.dsc 16d7640ef0dc253a799e3e95450aac682a39877556219d983e2fc85809213f4b 12144 logback_1.1.9-2.debian.tar.xz 93d2f80f30285d36e13a1945a201357b1d9b6eb8ade2b58b725eebb0d5a6b30c 15154 logback_1.1.9-2_amd64.buildinfo Files: 99bd1f27c78f1a523f7d2af337b1649b 2408 java optional logback_1.1.9-2.dsc 3a4c6bc37eef5638a43bcc17a2121731 12144 java optional logback_1.1.9-2.debian.tar.xz 201a70196f6fccc0ec32a21dc4497ef2 15154 java optional logback_1.1.9-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljahzVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HksNUQAJU4NQgXWN8P8lz9Dt4ROdCkwD3EL1ZeF2x+ F70dyZ1Es3wrwjDV/A2wzRUVg3ZMoijfkQqmp4Du+rLcOqbbCPUlifeM1K/hnEAG Op+PGnXFK2PVf5tchgD/weh8BHN93VPUg9OpY0j1FMvzgVqsSUyTDSHLCx6tALUq Xg7NV7SReSqlPSpkXXu8Hfe4Uojn95j7nx/oC/M4KDBDwCJNwZhd0A7KHR0ZkvzF 4EirnHr82kTiIwXzCtur+vW/sq7A907yXmIU+x3JdWzkQtwNPfMAH6NaA2od3cRm 0MkaKFm210z3mMEeuTg/zm8oggh8O3p+1yTuCfDICVeEBBi2HRUI3rzyZ5FQzKEy hoUn1AR5ViAqP96W128iCDBueS+rLJaIA5HuZiMQjvyi3wf0eRq6IgTvQBa5mwTE lXqMRV3kbnX9B6P+iF5rg8r+Q83vPKsG485b2USJPxoj98zLXyLIrPETsCxpGH0N Vnv8a7hKu6Y7ggUwzxPv9oCVjWkPNT/HERXNVRxuCLSKYpJyRE9VV16RSZY2gaI3 Q1DMEGJj2YQerQ8udF12zRu19S+06INxUWRURHUiY6OG1xKUZpTIuV8E0LJiHiad NziqS6MfBNUD6TcNzEJVSWhv0MvT7U1q09mUNN6KeDl8umT9Wpozi/9Y8hw6ONBT TwKnI7Ux =dG7X -----END PGP SIGNATURE-----
--- End Message ---
