Am 31.03.2017 um 08:10 schrieb Fabrice Dagorn:
> Hi,
> I  have made a quick and dirty POC for this issue.
> This results in a remote code execution in the JVM that exposes a
> ServerSocketReceiver.
> Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.
> The POC is available on demand.
> Regards,
> Fabrice Dagorn


Yes, please send the POC to and describe the scenario how
you trigger this issue. Upstream still has not responded to my inquiry.
If I don't hear from then until the beginning of next week I will
backport the other commits on a best effort basis.



Attachment: signature.asc
Description: OpenPGP digital signature

This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to