logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components

Debian Bug report logs - #857343
logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components

Toggle useless messages

---

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: liblogback-java
Version: 1:1.1.2-1
Severity: important
Tags: upstream patch

Dear Maintainer,

logback versions in wheezy, jessie and stretch are vulnerable to a
deserialization issue.
Logback would try to deserialize data from a socket, but it can't be trusted.
Upstream mitigates this issue by adding a whitelist of allowed classes to be
deserialized.

I've prepared a patch for jessie.

Regards

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages liblogback-java depends on:
ii  libslf4j-java  1.7.7-1

liblogback-java recommends no packages.

Versions of packages liblogback-java suggests:
ii  glassfish-javaee  1:2.1.1-b31g+dfsg1-2
ii  libjanino-java    2.7.0-2

[ObjectInputStream-mitigation.patch (text/x-diff, attachment)]

---

Message #10 received at 857343@bugs.debian.org (full text, mbox, reply):

tags security

---

Message #15 received at 857343@bugs.debian.org (full text, mbox, reply):

CVE-2015-6420 is for Apache Commons, but this is the same issue.

Le 10/03/2017 à 10:15, Emmanuel Bourg a écrit :
> Hi Fabrice,
>
> Thank you for the report. Do you know if there is a CVE ID assigned to
> this vulnerability?
>
> Emmanuel Bourg
>

---

Message #22 received at 857343@bugs.debian.org (full text, mbox, reply):

Hi Fabrice,

Thank you for the report. Do you know if there is a CVE ID assigned to
this vulnerability?

Emmanuel Bourg

---

Message #29 received at 857343@bugs.debian.org (full text, mbox, reply):

Dear Maintainer,
it's a serious security bug IMO, feel free to switch back to important 
if you disagree.

---

Message #34 received at 857343@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hello security team,

apparently logback < 1.2.0 is vulnerable to a deserialization issue.
They announced it on February 8th 2017 but it appears no CVE has been
assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is
the same issue as CVE-2015-6420 but I cannot verify that at the moment.
Would you like to request a CVE id or shall I take care of it?

Regards,

Markus


[1] https://logback.qos.ch/news.html
[2]
https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8

[signature.asc (application/pgp-signature, attachment)]

---

Message #39 received at 857343@bugs.debian.org (full text, mbox, reply):

On Mar/28, Markus Koschany wrote:
> apparently logback < 1.2.0 is vulnerable to a deserialization issue.
> They announced it on February 8th 2017 but it appears no CVE has been
> assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is
> the same issue as CVE-2015-6420 but I cannot verify that at the moment.
> Would you like to request a CVE id or shall I take care of it?

It's fine if you take care of it (and loop back to oss-sec once it's
assigned). Thanks a lot !

Cheers,

--Seb

---

Message #44 received at 857343@bugs.debian.org (full text, mbox, reply):

Control: retitle -1 logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components

Hi Markus,

On Tue, Mar 28, 2017 at 09:41:30AM +0200, Markus Koschany wrote:
> Hello security team,
> 
> apparently logback < 1.2.0 is vulnerable to a deserialization issue.
> They announced it on February 8th 2017 but it appears no CVE has been
> assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is
> the same issue as CVE-2015-6420 but I cannot verify that at the moment.
> Would you like to request a CVE id or shall I take care of it?

There apparently was a mistake on triaging CVE-2017-5929.

This should be:
https://security-tracker.debian.org/tracker/CVE-2017-5929

I fixed the tracker entry and it should display the correct
information on the next update.

Regards,
Salvatore

---

Message #53 received at 857343@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Am 28.03.2017 um 10:54 schrieb Salvatore Bonaccorso:
[...]
> There apparently was a mistake on triaging CVE-2017-5929.
> 
> This should be:
> https://security-tracker.debian.org/tracker/CVE-2017-5929
> 
> I fixed the tracker entry and it should display the correct
> information on the next update.

Thank you. I am going to fix this bug in a few minutes. Do you think
this bug warrants a DSA or do you prefer that I get in contact with the
release team?

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

---

Message #58 received at 857343-close@bugs.debian.org (full text, mbox, reply):

Source: logback
Source-Version: 1:1.1.9-2

We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857343@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated logback package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Mar 2017 17:22:37 +0200
Source: logback
Binary: liblogback-java liblogback-java-doc
Architecture: source
Version: 1:1.1.9-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 liblogback-java - flexible logging library for Java
 liblogback-java-doc - flexible logging library for Java - documentation
Closes: 857343
Changes:
 logback (1:1.1.9-2) unstable; urgency=medium
 .
   * Team upload.
   * Fix CVE-2017-5929:
     It was discovered that logback, a flexible logging library for Java, would
     deserialize data from untrusted sockets. This issue has been resolved by
     adding a whitelist to use only trusted classes. (Closes: #857343)
     Thanks to Fabrice Dagorn for the report.
Checksums-Sha1:
 a80b2a96a5fe7440e3cf05ca649ce843f956bd17 2408 logback_1.1.9-2.dsc
 54688b6b588ed58d126314e1b23fcdd6d1f2bebd 12144 logback_1.1.9-2.debian.tar.xz
 33f35fb43eaf21b32e7f83620cf68df8a4e846c1 15154 logback_1.1.9-2_amd64.buildinfo
Checksums-Sha256:
 99c01932556306755697497c172bb0cb6a9b100915fae43a41cfb7105289c260 2408 logback_1.1.9-2.dsc
 16d7640ef0dc253a799e3e95450aac682a39877556219d983e2fc85809213f4b 12144 logback_1.1.9-2.debian.tar.xz
 93d2f80f30285d36e13a1945a201357b1d9b6eb8ade2b58b725eebb0d5a6b30c 15154 logback_1.1.9-2_amd64.buildinfo
Files:
 99bd1f27c78f1a523f7d2af337b1649b 2408 java optional logback_1.1.9-2.dsc
 3a4c6bc37eef5638a43bcc17a2121731 12144 java optional logback_1.1.9-2.debian.tar.xz
 201a70196f6fccc0ec32a21dc4497ef2 15154 java optional logback_1.1.9-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljahzVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HksNUQAJU4NQgXWN8P8lz9Dt4ROdCkwD3EL1ZeF2x+
F70dyZ1Es3wrwjDV/A2wzRUVg3ZMoijfkQqmp4Du+rLcOqbbCPUlifeM1K/hnEAG
Op+PGnXFK2PVf5tchgD/weh8BHN93VPUg9OpY0j1FMvzgVqsSUyTDSHLCx6tALUq
Xg7NV7SReSqlPSpkXXu8Hfe4Uojn95j7nx/oC/M4KDBDwCJNwZhd0A7KHR0ZkvzF
4EirnHr82kTiIwXzCtur+vW/sq7A907yXmIU+x3JdWzkQtwNPfMAH6NaA2od3cRm
0MkaKFm210z3mMEeuTg/zm8oggh8O3p+1yTuCfDICVeEBBi2HRUI3rzyZ5FQzKEy
hoUn1AR5ViAqP96W128iCDBueS+rLJaIA5HuZiMQjvyi3wf0eRq6IgTvQBa5mwTE
lXqMRV3kbnX9B6P+iF5rg8r+Q83vPKsG485b2USJPxoj98zLXyLIrPETsCxpGH0N
Vnv8a7hKu6Y7ggUwzxPv9oCVjWkPNT/HERXNVRxuCLSKYpJyRE9VV16RSZY2gaI3
Q1DMEGJj2YQerQ8udF12zRu19S+06INxUWRURHUiY6OG1xKUZpTIuV8E0LJiHiad
NziqS6MfBNUD6TcNzEJVSWhv0MvT7U1q09mUNN6KeDl8umT9Wpozi/9Y8hw6ONBT
TwKnI7Ux
=dG7X
-----END PGP SIGNATURE-----

---

Message #67 received at 857343@bugs.debian.org (full text, mbox, reply):

Hi Markus,

On Tue, Mar 28, 2017 at 05:51:38PM +0200, Markus Koschany wrote:
> Am 28.03.2017 um 10:54 schrieb Salvatore Bonaccorso:
> [...]
> > There apparently was a mistake on triaging CVE-2017-5929.
> > 
> > This should be:
> > https://security-tracker.debian.org/tracker/CVE-2017-5929
> > 
> > I fixed the tracker entry and it should display the correct
> > information on the next update.
> 
> Thank you. I am going to fix this bug in a few minutes. Do you think
> this bug warrants a DSA or do you prefer that I get in contact with the
> release team?

So, should be not necessary to release a DSA for it. Can you please
update logback via an upcoming point release?

Thanks again, and regards,
Salvatore

---

Message #72 received at 857343@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Am 28.03.2017 um 20:02 schrieb Salvatore Bonaccorso:
> Hi Markus,
> 
> On Tue, Mar 28, 2017 at 05:51:38PM +0200, Markus Koschany wrote:
>> Am 28.03.2017 um 10:54 schrieb Salvatore Bonaccorso:
[...]
>> Thank you. I am going to fix this bug in a few minutes. Do you think
>> this bug warrants a DSA or do you prefer that I get in contact with the
>> release team?
> 
> So, should be not necessary to release a DSA for it. Can you please
> update logback via an upcoming point release?

Sure, will do.

Markus

[signature.asc (application/pgp-signature, attachment)]

---

Message #77 received at 857343@bugs.debian.org (full text, mbox, reply):

Thank you for your upload.

But i think that the issue is not completely solved, upstream made it in 
several commits (https://github.com/qos-ch/logback/commits/v_1.2.0).

The comment is not meaningful but this one is related to the 
vulnerability : 
https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9

Fabrice Dagorn

Le 28/03/2017 à 18:09, Debian Bug Tracking System a écrit :
> This is an automatic notification regarding your Bug report
> which was filed against the liblogback-java package:
>
> #857343: logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components
>
> It has been closed by Markus Koschany <apo@debian.org>.
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Markus Koschany <apo@debian.org> by
> replying to this email.
>
>

---

Message #82 received at 857343@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: reopen -1

Am 29.03.2017 um 08:11 schrieb Fabrice Dagorn:
> Thank you for your upload.
> 
> But i think that the issue is not completely solved, upstream made it in
> several commits (https://github.com/qos-ch/logback/commits/v_1.2.0).
> 
> The comment is not meaningful but this one is related to the
> vulnerability :
> https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9

Hi,

I am not sure because they have also included a lot of cosmetic changes
but there might be even more relevant commits hence I have asked for a
clarification from upstream. [1]

I keep this bug report open until we know more about it.

Regards,

Markus

[1] http://mailman.qos.ch/pipermail/logback-user/2017-March/004875.html

[signature.asc (application/pgp-signature, attachment)]

---

Message #91 received at 857343@bugs.debian.org (full text, mbox, reply):

Hi,
I  have made a quick and dirty POC for this issue.
This results in a remote code execution in the JVM that exposes a 
ServerSocketReceiver.

Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.

The POC is available on demand.

Regards,
Fabrice Dagorn

---

Message #96 received at 857343@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Am 31.03.2017 um 08:10 schrieb Fabrice Dagorn:
> Hi,
> I  have made a quick and dirty POC for this issue.
> This results in a remote code execution in the JVM that exposes a
> ServerSocketReceiver.
> 
> Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.
> 
> The POC is available on demand.
> 
> Regards,
> Fabrice Dagorn

Hi,

Yes, please send the POC to apo@debian.org and describe the scenario how
you trigger this issue. Upstream still has not responded to my inquiry.
If I don't hear from then until the beginning of next week I will
backport the other commits on a best effort basis.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

---

Message #101 received at 857343@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

You could also attach the POC to this bug report. The vulnerability is
publicly known by now anyway.

Markus

[signature.asc (application/pgp-signature, attachment)]

---

Message #106 received at 857343@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

The POC is a simple Eclipse java project.

UnsafeReceiver will open a ServerSocketReceiver on 1111 port and wait 
forever.

Injector will then open a client Socket to the ServerSocketReceiver and 
serialize a Calculator instance through the wire.

Calculator implements ILoggingEvent to prevent ClassCastException on 
deserialization but Logback won't check more and getLoggerName() is called.

In this case, the gnome calculator is executed.


Regards,

Fabrice


Le 31/03/2017 à 14:10, Markus Koschany a écrit :
> You could also attach the POC to this bug report. The vulnerability is
> publicly known by now anyway.
>
> Markus
>

[poc_logback.tar.gz (application/x-gzip, attachment)]

---

Message #111 received at 857343@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Am 01.04.2017 um 08:20 schrieb Fabrice Dagorn:
> The POC is a simple Eclipse java project.
> 
> UnsafeReceiver will open a ServerSocketReceiver on 1111 port and wait
> forever.
> 
> Injector will then open a client Socket to the ServerSocketReceiver and
> serialize a Calculator instance through the wire.
> 
> Calculator implements ILoggingEvent to prevent ClassCastException on
> deserialization but Logback won't check more and getLoggerName() is called.
> 
> In this case, the gnome calculator is executed.

Thank you for the reproducer. I believe the issue is fixed now and I am
going to upload the new revision soon.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

---

Message #116 received at 857343-close@bugs.debian.org (full text, mbox, reply):

Source: logback
Source-Version: 1:1.1.9-3

We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857343@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated logback package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 04 Apr 2017 14:49:44 +0200
Source: logback
Binary: liblogback-java liblogback-java-doc
Architecture: source
Version: 1:1.1.9-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 liblogback-java - flexible logging library for Java
 liblogback-java-doc - flexible logging library for Java - documentation
Closes: 857343
Changes:
 logback (1:1.1.9-3) unstable; urgency=medium
 .
   * Team upload.
   * The patch for CVE-2017-5929 was incomplete. Add CVE-2017-5929-part2.patch
     and really fix the issue. (Closes: #857343)
   * Remove all test cases from CVE-2017-5929.patch and only apply the minimal
     changes to make it easier to review the package. Tests are disabled anyway.
Checksums-Sha1:
 0f818b40addffd9000c2ae5bf85a8fadf183e321 2408 logback_1.1.9-3.dsc
 439c5a96a938124118754750fe6f6c17871c7475 13524 logback_1.1.9-3.debian.tar.xz
 7d59e7da161541f30327e9ab3a5cd82a90c03cd8 15164 logback_1.1.9-3_amd64.buildinfo
Checksums-Sha256:
 889b956159efc88f2afd1274f7677a6ec2953ce21e22aff3fed58f8c3fa19325 2408 logback_1.1.9-3.dsc
 cfdb6de7a2d5dd2c7cb004ec8309fa56b241c329a85984170eb85332a28db6b5 13524 logback_1.1.9-3.debian.tar.xz
 3e2bfa71d2a5677bb73d2f1c2f06388cdf57aca676f88623dc498fa8ca8bfd70 15164 logback_1.1.9-3_amd64.buildinfo
Files:
 7fe1580466b7fe6eb34d08ed8f5f5578 2408 java optional logback_1.1.9-3.dsc
 a2442304b426b0755a3e98419a0b44d0 13524 java optional logback_1.1.9-3.debian.tar.xz
 deb12871e55f268fd8cf88be8ffaf836 15164 java optional logback_1.1.9-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljjpn9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkjvIP/jixGBcpyP0MvSrtixrZRGjU8Ht+5zwma85H
Pd5fU6nziTHqJhaWxQrTicWijRLl73LQPLcOSU6CrJAHs1RlOhWKNUWExW5tUz+w
A5/c1YhXrQ1uTCM0RZKPk58ovnVL6GOZxtWbOPLQaTBW10rRHcnDsA26HW6AJjQX
W/3w1XXvcnoQV22hypN4lF5B8hwQC57xlM8v8FHzucrypTdmkwWBQDy3KI5p+AAE
dnL0SCrszazJSVNmfgMYlGM2FmQFkJVyS7zHUd45hUv6y9g6D4QNCmj5tHc7qQ2u
IYS+nPy/9xFANN2wj8l7WBsEai40uVc9vnrkb4piUYZzsAbKCNRx15U/EuzPE6tC
W44iUDBPPvVIxDlp1/FDekKGg6UMrB0Wt0hS2Kw9k5MViA50FZK4nTeyqwPfXqMe
f5FdE9exhNFvidQgyIy4elEjuShFUGMAaXpsWnaUpURbnT02Go/9TMWTjeRAzG6Q
OLTJcP8xIeeOJGnaZL6olkwPkR8p5ZoMzSZKurfvTpD93ABhRnO6jd9IOLtsc15R
1Z2sRNSkiuBN+reSpbmtXZz+7gsF16XH5ug5pCfXQ84M1XonGLiyGqbweQ0sPrFJ
n2coSjV+hryUnhdldCSQNMs0Ssc3Z+OSk3okmGz0jDgrklE6k0bjVXH5QEfQXN/b
13aFLPTN
=bpU+
-----END PGP SIGNATURE-----

---

Message #123 received at 857343@bugs.debian.org (full text, mbox, reply):

tag 857343 + pending
thanks

Some bugs in the logback package are closed in revision
d88f6cd125cb5e9f7965f29b27ec05b5239ca40b in branch '  jessie' by
Markus Koschany

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/logback.git/commit/?id=d88f6cd

Commit message:

    Import Debian changes 1:1.1.2-1+deb8u1
    
    logback (1:1.1.2-1+deb8u1) jessie; urgency=high
    
      * Team upload.
      * Fix CVE-2017-5929:
        It was discovered that logback, a flexible logging library for Java, would
        deserialize data from untrusted sockets. This issue has been resolved by
        adding a whitelist to use only trusted classes. (Closes: #857343)

---

Message #131 received at 857343@bugs.debian.org (full text, mbox, reply):

tag 857343 + pending
thanks

Some bugs in the logback package are closed in revision
febe22ba76de74fbf5238b5f245dcb3fcf151d0d in branch '  wheezy' by
Markus Koschany

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/logback.git/commit/?id=febe22b

Commit message:

    Import Debian changes 1:1.0.4-1+deb7u1
    
    logback (1:1.0.4-1+deb7u1) wheezy-security; urgency=high
    
      * Team upload.
      * Fix CVE-2017-5929:
        It was discovered that logback, a flexible logging library for Java, would
        deserialize data from untrusted sockets. This issue has been resolved by
        adding a whitelist to use only trusted classes. (Closes: #857343)
    
    logback (1:1.0.4-1) unstable; urgency=low
    
      * New upstream release.
      * d/control: Update Standards-Version to 3.9.3: no changes needed.
      * d/copyright: Upgrade to copyright-format 1.0.

---

Message #139 received at 857343-close@bugs.debian.org (full text, mbox, reply):

Source: logback
Source-Version: 1:1.1.2-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857343@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated logback package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 24 Apr 2017 13:41:45 +0200
Source: logback
Binary: liblogback-java liblogback-java-doc
Architecture: source all
Version: 1:1.1.2-1+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 liblogback-java - flexible logging library for Java
 liblogback-java-doc - flexible logging library for Java - documentation
Closes: 857343
Changes:
 logback (1:1.1.2-1+deb8u1) jessie; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-5929:
     It was discovered that logback, a flexible logging library for Java, would
     deserialize data from untrusted sockets. This issue has been resolved by
     adding a whitelist to use only trusted classes. (Closes: #857343)
Checksums-Sha1:
 279a0764fb1ff52d1aaba3925722adccee03236b 2270 logback_1.1.2-1+deb8u1.dsc
 951e6cd1c497d14fb10ebf518937928232cdc830 11560 logback_1.1.2-1+deb8u1.debian.tar.xz
 daed26934cf922a190b4c317841b69cf985a2d14 624718 liblogback-java_1.1.2-1+deb8u1_all.deb
 025cebc4db3445261cb9f87a5a62f832e9cdf138 1778332 liblogback-java-doc_1.1.2-1+deb8u1_all.deb
Checksums-Sha256:
 103395aa6dbb290dd74454254fd83e04f2c02c4612d2f83c98da692b64ee240e 2270 logback_1.1.2-1+deb8u1.dsc
 502d128e960a611893292515072edeb33bec82811c526251d29655a499a15e77 11560 logback_1.1.2-1+deb8u1.debian.tar.xz
 fa847a1bf2f3e3e28e9196376ea21494164a8cc2c1b350cbc47aab740a2c89b6 624718 liblogback-java_1.1.2-1+deb8u1_all.deb
 6c7b00e07633a53dd6cb5775c0968347583388b81b1014398ea8b140ba76cb3a 1778332 liblogback-java-doc_1.1.2-1+deb8u1_all.deb
Files:
 b507b7bdd6ac787dd21281e1abd4a6e2 2270 java optional logback_1.1.2-1+deb8u1.dsc
 0c376c4b6f715d0351c1f3168ac1792c 11560 java optional logback_1.1.2-1+deb8u1.debian.tar.xz
 91fae7f0d03b6fe14e15164c97d9537f 624718 java optional liblogback-java_1.1.2-1+deb8u1_all.deb
 7c5b86df31d22cd6abdf47c71de76f75 1778332 doc optional liblogback-java-doc_1.1.2-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJY/eduXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hks7MQAKh4Qgn7VcUn9rbvY4sRkbec
DfL+H6kngUwq+C1lW/RUq9jxv6kPxBOS0KcOwbDNwKlI0aHddCYbCBypJJSV2t3u
h+WV/T7r2dvJCQB2/0ZUxzBTMLaWRzyWZZcS6Afj3yyNKlO7ms7hA5ikB3Md73fx
NNHbH11tzuUxdGaPgwhaqCrQd1vsmaWcbAvjgdHRh8ColnauixoR3dpdMPADE44E
5cq+iQLn86lkw29Zuws/sKZ1Lh+bEqAT7YmEsI75aUAgOivNkNJYTeBowyAVnvPk
lpO4rfNdMiUsCokbWRtytNJ8b24H2l59tnws4xF1bEC+HpJ2+/MlPGjPJBguvx0A
/DnCzqArOQ8j03HNc3RdwtD5FqwlSPWy/nwxuS7Xwkpmbj2BHXZx+mez6TVSee1h
r9UVwIlA1Z0LWVGN1/wXQleiuP6Xn+WmTpwMk4mCBLJ+1+eSW3rm7Lf7iFVOzrxY
eBZc2nqupqA8OyNtoaj+W6D8/AE4M1Dy6sz1DHoK7Jq+Rl5Lfx8hPY2vWJaOcFJC
uLupIBSU3BqldGxxmQ9oYqMHw65+PVPAprLjlo/GCpdy1/TpEwv45gSJvV7d1RXI
NJQNy62AID5AvLL9yqBTVqoFl+QfMde3KVd2abEjRV5Ismm0iYlljOM01wPkGHWq
D+zJf6X5D0PWH/64FkxW
=Eb+2
-----END PGP SIGNATURE-----

---

Send a report that this bug log contains spam.

---

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:01:52 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.