Debian Bug report logs -
#1057423
logback: CVE-2023-6378
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 4 Dec 2023 20:00:02 UTC
Severity: important
Tags: security, upstream
Found in versions logback/1:1.2.11-3, logback/1:1.2.11-4
Fixed in version logback/1:1.2.11-5
Done: tony mancill <tmancill@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#1057423
; Package src:logback
.
(Mon, 04 Dec 2023 20:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 04 Dec 2023 20:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: logback
Version: 1:1.2.11-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1:1.2.11-3
Hi,
The following vulnerability was published for logback.
CVE-2023-6378[0]:
| A serialization vulnerability in logback receiver component part of
| logback version 1.4.11 allows an attacker to mount a Denial-Of-
| Service attack by sending poisoned data.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-6378
https://www.cve.org/CVERecord?id=CVE-2023-6378
[1] https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions logback/1:1.2.11-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Mon, 04 Dec 2023 20:00:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#1057423
; Package src:logback
.
(Mon, 04 Dec 2023 20:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 04 Dec 2023 20:27:06 GMT) (full text, mbox, link).
Message #12 received at 1057423@bugs.debian.org (full text, mbox, reply):
On Mon, Dec 04, 2023 at 08:57:52PM +0100, Salvatore Bonaccorso wrote:
> Source: logback
> Version: 1:1.2.11-4
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> Control: found -1 1:1.2.11-3
>
> Hi,
>
> The following vulnerability was published for logback.
>
> CVE-2023-6378[0]:
> | A serialization vulnerability in logback receiver component part of
> | logback version 1.4.11 allows an attacker to mount a Denial-Of-
> | Service attack by sending poisoned data.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-6378
> https://www.cve.org/CVERecord?id=CVE-2023-6378
> [1] https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731
The fix for the 1.2.x series is
https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#1057423.
(Tue, 05 Dec 2023 07:12:03 GMT) (full text, mbox, link).
Message #15 received at 1057423-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1057423 in logback reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/java-team/logback/-/commit/0fd3b2463127efe97d7476ec5295da54fcd7378a
------------------------------------------------------------------------
Add patch for CVE-2023-6378 (Closes: #1057423)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1057423
Added tag(s) pending.
Request was from Tony Mancill <noreply@salsa.debian.org>
to 1057423-submitter@bugs.debian.org
.
(Tue, 05 Dec 2023 07:12:03 GMT) (full text, mbox, link).
Reply sent
to tony mancill <tmancill@debian.org>
:
You have taken responsibility.
(Tue, 05 Dec 2023 07:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 05 Dec 2023 07:21:03 GMT) (full text, mbox, link).
Message #22 received at 1057423-close@bugs.debian.org (full text, mbox, reply):
Source: logback
Source-Version: 1:1.2.11-5
Done: tony mancill <tmancill@debian.org>
We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1057423@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated logback package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 Dec 2023 22:42:09 -0800
Source: logback
Architecture: source
Version: 1:1.2.11-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 1057423
Changes:
logback (1:1.2.11-5) unstable; urgency=medium
.
* Add patch for CVE-2023-6378 (Closes: #1057423)
Checksums-Sha1:
5d77e34765b808e07af69671fad5da4a3cf11ce8 2322 logback_1.2.11-5.dsc
43a85b9b00da5f98cb51161768ee566ccb94fd0a 15428 logback_1.2.11-5.debian.tar.xz
946bac19ff9d607337d608dc99cd8d1444122c86 15221 logback_1.2.11-5_amd64.buildinfo
Checksums-Sha256:
fd4d62798712958fbd33596c791e9d06a7424492c86dbe8f2399f17526ed517a 2322 logback_1.2.11-5.dsc
bc9de034286ca2659844ce24878bc10b66bbcbcf0bc63be24511b039398019a4 15428 logback_1.2.11-5.debian.tar.xz
28b15894bfb7e6d5b8b81dbfd3dad2b4b0fb9fff3a4725660259700d02ba5175 15221 logback_1.2.11-5_amd64.buildinfo
Files:
51a0d335614c03199af63723ecb76fe5 2322 java optional logback_1.2.11-5.dsc
3f2abb1c5ebcddd95dda00399436e0ca 15428 java optional logback_1.2.11-5.debian.tar.xz
6e76c40f595a782be69234ff312b0272 15221 java optional logback_1.2.11-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmVuzKAUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZObBAAnytZ++oO9FdmFP8AMiM0lAfQT64D
SSDrm64hGQoZix8R868Eb5cs2zS7USHnyliFRTBpveV1ODqY9Rsw2EOLlEgXWkLG
/kKecySe4xGoAQiWE76n1KFP/YkoA0g2lOCCwV8GgNTbo3yWFr8qNTMwhRvkpa4u
f9Pr5O/VKV8y0+33BbPr08NLw15W+6yi+s+B70qXjAHCqZjQ+JsWndGTcd5yPaw3
0pz3IGa4sZM8xxrrK94Uj4dGqyVYuQSrVc+AW6++GEBBFEP1yPDdgRe0RMzErUig
JrLw4cWgO8Nox539tbtoZMnUIvR7OeGou0yahupbdkZJTMrqa+dndfctrNPwFtzi
wJ8in60mcxJVVuDUp7lF9d3fITnrvCPkJoFsFeGyJdtsbwJrkTf1FlrvAk6eTZA7
8qYuu47KobrOtwvS05zFx74ZK2Dl2/WG7NbASP5ZAcqp1AvI8px1LkqnxRpY90Qi
/ep/n3eoMqQyUhAH6s9appyEn2LYMZldVCFuqVuu98v5T8Pnw/EW0HqUv1n1T6Dw
d9ODX6Z4tLXvOKJTrQmTWVk+dYKyR5am6w9qlDnFi5KGdlDtXkKTFu8M2lGOCOO8
dgDmuXl1wtrhbJ+cIfxSSgdxmKr3j0k50cUofyRQGKHK5hUq5BOmy1KDkEg6ZI8l
vVSjvbPqeoPAurg=
=NbHM
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Dec 5 08:17:27 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.