Your message dated Tue, 04 Apr 2017 14:49:44 +0000 with message-id <e1cvpmc-0008id...@fasolo.debian.org> and subject line Bug#857343: fixed in logback 1:1.1.9-3 has caused the Debian Bug report #857343, regarding CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: logback Severity: grave Tags: security Hi, the following vulnerability was published for logback. CVE-2017-5929[0]: | QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting | the SocketServer and ServerSocketReceiver components. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-5929 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: logback Source-Version: 1:1.1.9-3 We believe that the bug you reported is fixed in the latest version of logback, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 857...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated logback package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 04 Apr 2017 14:49:44 +0200 Source: logback Binary: liblogback-java liblogback-java-doc Architecture: source Version: 1:1.1.9-3 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: liblogback-java - flexible logging library for Java liblogback-java-doc - flexible logging library for Java - documentation Closes: 857343 Changes: logback (1:1.1.9-3) unstable; urgency=medium . * Team upload. * The patch for CVE-2017-5929 was incomplete. Add CVE-2017-5929-part2.patch and really fix the issue. (Closes: #857343) * Remove all test cases from CVE-2017-5929.patch and only apply the minimal changes to make it easier to review the package. Tests are disabled anyway. Checksums-Sha1: 0f818b40addffd9000c2ae5bf85a8fadf183e321 2408 logback_1.1.9-3.dsc 439c5a96a938124118754750fe6f6c17871c7475 13524 logback_1.1.9-3.debian.tar.xz 7d59e7da161541f30327e9ab3a5cd82a90c03cd8 15164 logback_1.1.9-3_amd64.buildinfo Checksums-Sha256: 889b956159efc88f2afd1274f7677a6ec2953ce21e22aff3fed58f8c3fa19325 2408 logback_1.1.9-3.dsc cfdb6de7a2d5dd2c7cb004ec8309fa56b241c329a85984170eb85332a28db6b5 13524 logback_1.1.9-3.debian.tar.xz 3e2bfa71d2a5677bb73d2f1c2f06388cdf57aca676f88623dc498fa8ca8bfd70 15164 logback_1.1.9-3_amd64.buildinfo Files: 7fe1580466b7fe6eb34d08ed8f5f5578 2408 java optional logback_1.1.9-3.dsc a2442304b426b0755a3e98419a0b44d0 13524 java optional logback_1.1.9-3.debian.tar.xz deb12871e55f268fd8cf88be8ffaf836 15164 java optional logback_1.1.9-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljjpn9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkjvIP/jixGBcpyP0MvSrtixrZRGjU8Ht+5zwma85H Pd5fU6nziTHqJhaWxQrTicWijRLl73LQPLcOSU6CrJAHs1RlOhWKNUWExW5tUz+w A5/c1YhXrQ1uTCM0RZKPk58ovnVL6GOZxtWbOPLQaTBW10rRHcnDsA26HW6AJjQX W/3w1XXvcnoQV22hypN4lF5B8hwQC57xlM8v8FHzucrypTdmkwWBQDy3KI5p+AAE dnL0SCrszazJSVNmfgMYlGM2FmQFkJVyS7zHUd45hUv6y9g6D4QNCmj5tHc7qQ2u IYS+nPy/9xFANN2wj8l7WBsEai40uVc9vnrkb4piUYZzsAbKCNRx15U/EuzPE6tC W44iUDBPPvVIxDlp1/FDekKGg6UMrB0Wt0hS2Kw9k5MViA50FZK4nTeyqwPfXqMe f5FdE9exhNFvidQgyIy4elEjuShFUGMAaXpsWnaUpURbnT02Go/9TMWTjeRAzG6Q OLTJcP8xIeeOJGnaZL6olkwPkR8p5ZoMzSZKurfvTpD93ABhRnO6jd9IOLtsc15R 1Z2sRNSkiuBN+reSpbmtXZz+7gsF16XH5ug5pCfXQ84M1XonGLiyGqbweQ0sPrFJ n2coSjV+hryUnhdldCSQNMs0Ssc3Z+OSk3okmGz0jDgrklE6k0bjVXH5QEfQXN/b 13aFLPTN =bpU+ -----END PGP SIGNATURE-----
--- End Message ---
