Your message dated Tue, 05 Dec 2023 07:19:05 +0000
with message-id <[email protected]>
and subject line Bug#1057423: fixed in logback 1:1.2.11-5
has caused the Debian Bug report #1057423,
regarding logback: CVE-2023-6378
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1057423: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057423
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: logback
Version: 1:1.2.11-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1:1.2.11-3
Hi,
The following vulnerability was published for logback.
CVE-2023-6378[0]:
| A serialization vulnerability in logback receiver component part of
| logback version 1.4.11 allows an attacker to mount a Denial-Of-
| Service attack by sending poisoned data.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-6378
https://www.cve.org/CVERecord?id=CVE-2023-6378
[1]
https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: logback
Source-Version: 1:1.2.11-5
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated logback package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 Dec 2023 22:42:09 -0800
Source: logback
Architecture: source
Version: 1:1.2.11-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1057423
Changes:
logback (1:1.2.11-5) unstable; urgency=medium
.
* Add patch for CVE-2023-6378 (Closes: #1057423)
Checksums-Sha1:
5d77e34765b808e07af69671fad5da4a3cf11ce8 2322 logback_1.2.11-5.dsc
43a85b9b00da5f98cb51161768ee566ccb94fd0a 15428 logback_1.2.11-5.debian.tar.xz
946bac19ff9d607337d608dc99cd8d1444122c86 15221 logback_1.2.11-5_amd64.buildinfo
Checksums-Sha256:
fd4d62798712958fbd33596c791e9d06a7424492c86dbe8f2399f17526ed517a 2322
logback_1.2.11-5.dsc
bc9de034286ca2659844ce24878bc10b66bbcbcf0bc63be24511b039398019a4 15428
logback_1.2.11-5.debian.tar.xz
28b15894bfb7e6d5b8b81dbfd3dad2b4b0fb9fff3a4725660259700d02ba5175 15221
logback_1.2.11-5_amd64.buildinfo
Files:
51a0d335614c03199af63723ecb76fe5 2322 java optional logback_1.2.11-5.dsc
3f2abb1c5ebcddd95dda00399436e0ca 15428 java optional
logback_1.2.11-5.debian.tar.xz
6e76c40f595a782be69234ff312b0272 15221 java optional
logback_1.2.11-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmVuzKAUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZObBAAnytZ++oO9FdmFP8AMiM0lAfQT64D
SSDrm64hGQoZix8R868Eb5cs2zS7USHnyliFRTBpveV1ODqY9Rsw2EOLlEgXWkLG
/kKecySe4xGoAQiWE76n1KFP/YkoA0g2lOCCwV8GgNTbo3yWFr8qNTMwhRvkpa4u
f9Pr5O/VKV8y0+33BbPr08NLw15W+6yi+s+B70qXjAHCqZjQ+JsWndGTcd5yPaw3
0pz3IGa4sZM8xxrrK94Uj4dGqyVYuQSrVc+AW6++GEBBFEP1yPDdgRe0RMzErUig
JrLw4cWgO8Nox539tbtoZMnUIvR7OeGou0yahupbdkZJTMrqa+dndfctrNPwFtzi
wJ8in60mcxJVVuDUp7lF9d3fITnrvCPkJoFsFeGyJdtsbwJrkTf1FlrvAk6eTZA7
8qYuu47KobrOtwvS05zFx74ZK2Dl2/WG7NbASP5ZAcqp1AvI8px1LkqnxRpY90Qi
/ep/n3eoMqQyUhAH6s9appyEn2LYMZldVCFuqVuu98v5T8Pnw/EW0HqUv1n1T6Dw
d9ODX6Z4tLXvOKJTrQmTWVk+dYKyR5am6w9qlDnFi5KGdlDtXkKTFu8M2lGOCOO8
dgDmuXl1wtrhbJ+cIfxSSgdxmKr3j0k50cUofyRQGKHK5hUq5BOmy1KDkEg6ZI8l
vVSjvbPqeoPAurg=
=NbHM
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
