Bug#858914: marked as done (CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver)

[Debian Bug Tracking System]

Your message dated Tue, 25 Apr 2017 19:47:15 +
with message-id 
and subject line Bug#857343: fixed in logback 1:1.1.2-1+deb8u1
has caused the Debian Bug report #857343,
regarding CVE-2017-5929: serialization vulnerability in SocketServer and 
ServerSocketReceiver
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: logback
Severity: grave
Tags: security

Hi,

the following vulnerability was published for logback.

CVE-2017-5929[0]:
| QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting
| the SocketServer and ServerSocketReceiver components.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: logback
Source-Version: 1:1.1.2-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated logback package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 24 Apr 2017 13:41:45 +0200
Source: logback
Binary: liblogback-java liblogback-java-doc
Architecture: source all
Version: 1:1.1.2-1+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 liblogback-java - flexible logging library for Java
 liblogback-java-doc - flexible logging library for Java - documentation
Closes: 857343
Changes:
 logback (1:1.1.2-1+deb8u1) jessie; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-5929:
 It was discovered that logback, a flexible logging library for Java, would
 deserialize data from untrusted sockets. This issue has been resolved by
 adding a whitelist to use only trusted classes. (Closes: #857343)
Checksums-Sha1:
 279a0764fb1ff52d1aaba3925722adccee03236b 2270 logback_1.1.2-1+deb8u1.dsc
 951e6cd1c497d14fb10ebf518937928232cdc830 11560 
logback_1.1.2-1+deb8u1.debian.tar.xz
 daed26934cf922a190b4c317841b69cf985a2d14 624718 
liblogback-java_1.1.2-1+deb8u1_all.deb
 025cebc4db3445261cb9f87a5a62f832e9cdf138 1778332 
liblogback-java-doc_1.1.2-1+deb8u1_all.deb
Checksums-Sha256:
 103395aa6dbb290dd74454254fd83e04f2c02c4612d2f83c98da692b64ee240e 2270 
logback_1.1.2-1+deb8u1.dsc
 502d128e960a611893292515072edeb33bec82811c526251d29655a499a15e77 11560 
logback_1.1.2-1+deb8u1.debian.tar.xz
 fa847a1bf2f3e3e28e9196376ea21494164a8cc2c1b350cbc47aab740a2c89b6 624718 
liblogback-java_1.1.2-1+deb8u1_all.deb
 6c7b00e07633a53dd6cb5775c0968347583388b81b1014398ea8b140ba76cb3a 1778332 
liblogback-java-doc_1.1.2-1+deb8u1_all.deb
Files:
 b507b7bdd6ac787dd21281e1abd4a6e2 2270 java optional logback_1.1.2-1+deb8u1.dsc
 0c376c4b6f715d0351c1f3168ac1792c 11560 java optional 
logback_1.1.2-1+deb8u1.debian.tar.xz
 91fae7f0d03b6fe14e15164c97d9537f 624718 java optional 
liblogback-java_1.1.2-1+deb8u1_all.deb
 7c5b86df31d22cd6abdf47c71de76f75 1778332 doc optional 
liblogback-java-doc_1.1.2-1+deb8u1_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQJ8BAEBCgBmBQJY/eduXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hks7MQAKh4Qgn7VcUn9rbvY4sRkbec
DfL+H6kngUwq+C1lW/RUq9jxv6kPxBOS0KcOwbDNwKlI0aHddCYbCBypJJSV2t3u
h+WV/T7r2dvJCQB2/0ZUxzBTMLaWRzyWZZcS6Afj3yyNKlO7ms7hA5ikB3Md73fx
NNHbH11tzuUxdGaPgwhaqCrQd1vsmaWcbAvjgdHRh8ColnauixoR3dpdMPADE44E
5cq+iQLn86lkw29Zuws/sKZ1Lh+bEqAT7YmEsI75aUAgOivNkNJYTeBowyAVnvPk
lpO4rfNdMiUsCokbWRtytNJ8b24H2l59tnws4xF1bEC+HpJ2+/MlPGjPJBguvx0A

Bug#858914: marked as done (CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver)

[Debian Bug Tracking System]

Your message dated Tue, 04 Apr 2017 14:49:44 +
with message-id 
and subject line Bug#857343: fixed in logback 1:1.1.9-3
has caused the Debian Bug report #857343,
regarding CVE-2017-5929: serialization vulnerability in SocketServer and 
ServerSocketReceiver
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: logback
Severity: grave
Tags: security

Hi,

the following vulnerability was published for logback.

CVE-2017-5929[0]:
| QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting
| the SocketServer and ServerSocketReceiver components.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: logback
Source-Version: 1:1.1.9-3

We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated logback package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 04 Apr 2017 14:49:44 +0200
Source: logback
Binary: liblogback-java liblogback-java-doc
Architecture: source
Version: 1:1.1.9-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 liblogback-java - flexible logging library for Java
 liblogback-java-doc - flexible logging library for Java - documentation
Closes: 857343
Changes:
 logback (1:1.1.9-3) unstable; urgency=medium
 .
   * Team upload.
   * The patch for CVE-2017-5929 was incomplete. Add CVE-2017-5929-part2.patch
 and really fix the issue. (Closes: #857343)
   * Remove all test cases from CVE-2017-5929.patch and only apply the minimal
 changes to make it easier to review the package. Tests are disabled anyway.
Checksums-Sha1:
 0f818b40addffd9000c2ae5bf85a8fadf183e321 2408 logback_1.1.9-3.dsc
 439c5a96a938124118754750fe6f6c17871c7475 13524 logback_1.1.9-3.debian.tar.xz
 7d59e7da161541f30327e9ab3a5cd82a90c03cd8 15164 logback_1.1.9-3_amd64.buildinfo
Checksums-Sha256:
 889b956159efc88f2afd1274f7677a6ec2953ce21e22aff3fed58f8c3fa19325 2408 
logback_1.1.9-3.dsc
 cfdb6de7a2d5dd2c7cb004ec8309fa56b241c329a85984170eb85332a28db6b5 13524 
logback_1.1.9-3.debian.tar.xz
 3e2bfa71d2a5677bb73d2f1c2f06388cdf57aca676f88623dc498fa8ca8bfd70 15164 
logback_1.1.9-3_amd64.buildinfo
Files:
 7fe1580466b7fe6eb34d08ed8f5f5578 2408 java optional logback_1.1.9-3.dsc
 a2442304b426b0755a3e98419a0b44d0 13524 java optional 
logback_1.1.9-3.debian.tar.xz
 deb12871e55f268fd8cf88be8ffaf836 15164 java optional 
logback_1.1.9-3_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljjpn9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkjvIP/jixGBcpyP0MvSrtixrZRGjU8Ht+5zwma85H
Pd5fU6nziTHqJhaWxQrTicWijRLl73LQPLcOSU6CrJAHs1RlOhWKNUWExW5tUz+w
A5/c1YhXrQ1uTCM0RZKPk58ovnVL6GOZxtWbOPLQaTBW10rRHcnDsA26HW6AJjQX
W/3w1XXvcnoQV22hypN4lF5B8hwQC57xlM8v8FHzucrypTdmkwWBQDy3KI5p+AAE
dnL0SCrszazJSVNmfgMYlGM2FmQFkJVyS7zHUd45hUv6y9g6D4QNCmj5tHc7qQ2u
IYS+nPy/9xFANN2wj8l7WBsEai40uVc9vnrkb4piUYZzsAbKCNRx15U/EuzPE6tC
W44iUDBPPvVIxDlp1/FDekKGg6UMrB0Wt0hS2Kw9k5MViA50FZK4nTeyqwPfXqMe
f5FdE9exhNFvidQgyIy4elEjuShFUGMAaXpsWnaUpURbnT02Go/9TMWTjeRAzG6Q
OLTJcP8xIeeOJGnaZL6olkwPkR8p5ZoMzSZKurfvTpD93ABhRnO6jd9IOLtsc15R
1Z2sRNSkiuBN+reSpbmtXZz+7gsF16XH5ug5pCfXQ84M1XonGLiyGqbweQ0sPrFJ
n2coSjV+hryUnhdldCSQNMs0Ssc3Z+OSk3okmGz0jDgrklE6k0bjVXH5QEfQXN/b
13aFLPTN
=bpU+
-END PGP SIGNATURE 

Bug#858914: marked as done (CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver)

[Debian Bug Tracking System]

Your message dated Tue, 28 Mar 2017 16:04:57 +
with message-id 
and subject line Bug#857343: fixed in logback 1:1.1.9-2
has caused the Debian Bug report #857343,
regarding CVE-2017-5929: serialization vulnerability in SocketServer and 
ServerSocketReceiver
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: logback
Severity: grave
Tags: security

Hi,

the following vulnerability was published for logback.

CVE-2017-5929[0]:
| QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting
| the SocketServer and ServerSocketReceiver components.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: logback
Source-Version: 1:1.1.9-2

We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated logback package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 28 Mar 2017 17:22:37 +0200
Source: logback
Binary: liblogback-java liblogback-java-doc
Architecture: source
Version: 1:1.1.9-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 liblogback-java - flexible logging library for Java
 liblogback-java-doc - flexible logging library for Java - documentation
Closes: 857343
Changes:
 logback (1:1.1.9-2) unstable; urgency=medium
 .
   * Team upload.
   * Fix CVE-2017-5929:
 It was discovered that logback, a flexible logging library for Java, would
 deserialize data from untrusted sockets. This issue has been resolved by
 adding a whitelist to use only trusted classes. (Closes: #857343)
 Thanks to Fabrice Dagorn for the report.
Checksums-Sha1:
 a80b2a96a5fe7440e3cf05ca649ce843f956bd17 2408 logback_1.1.9-2.dsc
 54688b6b588ed58d126314e1b23fcdd6d1f2bebd 12144 logback_1.1.9-2.debian.tar.xz
 33f35fb43eaf21b32e7f83620cf68df8a4e846c1 15154 logback_1.1.9-2_amd64.buildinfo
Checksums-Sha256:
 99c01932556306755697497c172bb0cb6a9b100915fae43a41cfb7105289c260 2408 
logback_1.1.9-2.dsc
 16d7640ef0dc253a799e3e95450aac682a39877556219d983e2fc85809213f4b 12144 
logback_1.1.9-2.debian.tar.xz
 93d2f80f30285d36e13a1945a201357b1d9b6eb8ade2b58b725eebb0d5a6b30c 15154 
logback_1.1.9-2_amd64.buildinfo
Files:
 99bd1f27c78f1a523f7d2af337b1649b 2408 java optional logback_1.1.9-2.dsc
 3a4c6bc37eef5638a43bcc17a2121731 12144 java optional 
logback_1.1.9-2.debian.tar.xz
 201a70196f6fccc0ec32a21dc4497ef2 15154 java optional 
logback_1.1.9-2_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljahzVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HksNUQAJU4NQgXWN8P8lz9Dt4ROdCkwD3EL1ZeF2x+
F70dyZ1Es3wrwjDV/A2wzRUVg3ZMoijfkQqmp4Du+rLcOqbbCPUlifeM1K/hnEAG
Op+PGnXFK2PVf5tchgD/weh8BHN93VPUg9OpY0j1FMvzgVqsSUyTDSHLCx6tALUq
Xg7NV7SReSqlPSpkXXu8Hfe4Uojn95j7nx/oC/M4KDBDwCJNwZhd0A7KHR0ZkvzF
4EirnHr82kTiIwXzCtur+vW/sq7A907yXmIU+x3JdWzkQtwNPfMAH6NaA2od3cRm
0MkaKFm210z3mMEeuTg/zm8oggh8O3p+1yTuCfDICVeEBBi2HRUI3rzyZ5FQzKEy
hoUn1AR5ViAqP96W128iCDBueS+rLJaIA5HuZiMQjvyi3wf0eRq6IgTvQBa5mwTE
lXqMRV3kbnX9B6P+iF5rg8r+Q83vPKsG485b2USJPxoj98zLXyLIrPETsCxpGH0N
Vnv8a7hKu6Y7ggUwzxPv9oCVjWkPNT/HERXNVRxuCLSKYpJyRE9VV16RSZY2gaI3
Q1DMEGJj2YQerQ8udF12zRu19S+06INxUWRURHUiY6OG1xKUZpTIuV8E0LJiHiad
NziqS6MfBNUD6TcNzEJVSWhv0MvT7U1q09mUNN6KeDl8umT9Wpozi/9Y8hw6ONBT
TwKnI7Ux
=dG7X
-END PGP