Am 31.03.2017 um 08:10 schrieb Fabrice Dagorn: > Hi, > I have made a quick and dirty POC for this issue. > This results in a remote code execution in the JVM that exposes a > ServerSocketReceiver. > > Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x. > > The POC is available on demand. > > Regards, > Fabrice Dagorn
Hi, Yes, please send the POC to a...@debian.org and describe the scenario how you trigger this issue. Upstream still has not responded to my inquiry. If I don't hear from then until the beginning of next week I will backport the other commits on a best effort basis. Regards, Markus
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.