Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

logback: CVE-2023-6378

Related Vulnerabilities: CVE-2023-6378  

Source

Debian Bug report logs - #1057423
logback: CVE-2023-6378

version graph

Package: src:logback; Maintainer for src:logback is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 4 Dec 2023 20:00:02 UTC

Severity: important

Tags: security, upstream

Found in versions logback/1:1.2.11-3, logback/1:1.2.11-4

Fixed in version logback/1:1.2.11-5

Done: tony mancill <tmancill@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1057423; Package src:logback. (Mon, 04 Dec 2023 20:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 04 Dec 2023 20:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: logback: CVE-2023-6378
Date: Mon, 04 Dec 2023 20:57:52 +0100
Source: logback
Version: 1:1.2.11-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1:1.2.11-3

Hi,

The following vulnerability was published for logback.

CVE-2023-6378[0]:
| A serialization vulnerability in logback receiver component part of
| logback version 1.4.11 allows an attacker to mount a Denial-Of-
| Service  attack by sending poisoned data.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-6378
    https://www.cve.org/CVERecord?id=CVE-2023-6378
[1] https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as found in versions logback/1:1.2.11-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Mon, 04 Dec 2023 20:00:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1057423; Package src:logback. (Mon, 04 Dec 2023 20:27:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 04 Dec 2023 20:27:06 GMT) (full text, mbox, link).

Message #12 received at 1057423@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 1057423@bugs.debian.org
Subject: Re: Bug#1057423: logback: CVE-2023-6378
Date: Mon, 4 Dec 2023 21:22:38 +0100
On Mon, Dec 04, 2023 at 08:57:52PM +0100, Salvatore Bonaccorso wrote:
> Source: logback
> Version: 1:1.2.11-4
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> Control: found -1 1:1.2.11-3
> 
> Hi,
> 
> The following vulnerability was published for logback.
> 
> CVE-2023-6378[0]:
> | A serialization vulnerability in logback receiver component part of
> | logback version 1.4.11 allows an attacker to mount a Denial-Of-
> | Service  attack by sending poisoned data.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2023-6378
>     https://www.cve.org/CVERecord?id=CVE-2023-6378
> [1] https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731

The fix for the 1.2.x series is
https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3

Regards,
Salvatore

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1057423. (Tue, 05 Dec 2023 07:12:03 GMT) (full text, mbox, link).

Message #15 received at 1057423-submitter@bugs.debian.org (full text, mbox, reply):

From: Tony Mancill <noreply@salsa.debian.org>
To: 1057423-submitter@bugs.debian.org
Subject: Bug#1057423 marked as pending in logback
Date: Tue, 05 Dec 2023 07:09:45 +0000
Control: tag -1 pending

Hello,

Bug #1057423 in logback reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/logback/-/commit/0fd3b2463127efe97d7476ec5295da54fcd7378a

------------------------------------------------------------------------
Add patch for CVE-2023-6378 (Closes: #1057423)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1057423

Added tag(s) pending. Request was from Tony Mancill <noreply@salsa.debian.org> to 1057423-submitter@bugs.debian.org. (Tue, 05 Dec 2023 07:12:03 GMT) (full text, mbox, link).

Reply sent to tony mancill <tmancill@debian.org>:
You have taken responsibility. (Tue, 05 Dec 2023 07:21:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 05 Dec 2023 07:21:03 GMT) (full text, mbox, link).

Message #22 received at 1057423-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1057423-close@bugs.debian.org
Subject: Bug#1057423: fixed in logback 1:1.2.11-5
Date: Tue, 05 Dec 2023 07:19:05 +0000
Source: logback
Source-Version: 1:1.2.11-5
Done: tony mancill <tmancill@debian.org>

We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1057423@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated logback package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 04 Dec 2023 22:42:09 -0800
Source: logback
Architecture: source
Version: 1:1.2.11-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 1057423
Changes:
 logback (1:1.2.11-5) unstable; urgency=medium
 .
   * Add patch for CVE-2023-6378 (Closes: #1057423)
Checksums-Sha1:
 5d77e34765b808e07af69671fad5da4a3cf11ce8 2322 logback_1.2.11-5.dsc
 43a85b9b00da5f98cb51161768ee566ccb94fd0a 15428 logback_1.2.11-5.debian.tar.xz
 946bac19ff9d607337d608dc99cd8d1444122c86 15221 logback_1.2.11-5_amd64.buildinfo
Checksums-Sha256:
 fd4d62798712958fbd33596c791e9d06a7424492c86dbe8f2399f17526ed517a 2322 logback_1.2.11-5.dsc
 bc9de034286ca2659844ce24878bc10b66bbcbcf0bc63be24511b039398019a4 15428 logback_1.2.11-5.debian.tar.xz
 28b15894bfb7e6d5b8b81dbfd3dad2b4b0fb9fff3a4725660259700d02ba5175 15221 logback_1.2.11-5_amd64.buildinfo
Files:
 51a0d335614c03199af63723ecb76fe5 2322 java optional logback_1.2.11-5.dsc
 3f2abb1c5ebcddd95dda00399436e0ca 15428 java optional logback_1.2.11-5.debian.tar.xz
 6e76c40f595a782be69234ff312b0272 15221 java optional logback_1.2.11-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmVuzKAUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZObBAAnytZ++oO9FdmFP8AMiM0lAfQT64D
SSDrm64hGQoZix8R868Eb5cs2zS7USHnyliFRTBpveV1ODqY9Rsw2EOLlEgXWkLG
/kKecySe4xGoAQiWE76n1KFP/YkoA0g2lOCCwV8GgNTbo3yWFr8qNTMwhRvkpa4u
f9Pr5O/VKV8y0+33BbPr08NLw15W+6yi+s+B70qXjAHCqZjQ+JsWndGTcd5yPaw3
0pz3IGa4sZM8xxrrK94Uj4dGqyVYuQSrVc+AW6++GEBBFEP1yPDdgRe0RMzErUig
JrLw4cWgO8Nox539tbtoZMnUIvR7OeGou0yahupbdkZJTMrqa+dndfctrNPwFtzi
wJ8in60mcxJVVuDUp7lF9d3fITnrvCPkJoFsFeGyJdtsbwJrkTf1FlrvAk6eTZA7
8qYuu47KobrOtwvS05zFx74ZK2Dl2/WG7NbASP5ZAcqp1AvI8px1LkqnxRpY90Qi
/ep/n3eoMqQyUhAH6s9appyEn2LYMZldVCFuqVuu98v5T8Pnw/EW0HqUv1n1T6Dw
d9ODX6Z4tLXvOKJTrQmTWVk+dYKyR5am6w9qlDnFi5KGdlDtXkKTFu8M2lGOCOO8
dgDmuXl1wtrhbJ+cIfxSSgdxmKr3j0k50cUofyRQGKHK5hUq5BOmy1KDkEg6ZI8l
vVSjvbPqeoPAurg=
=NbHM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Dec 5 08:17:27 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started