Source: libslf4j-java Version: 1.7.25-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://jira.qos.ch/browse/SLF4J-430 Control: found -1 1.7.7-1
Hi, the following vulnerability was published for libslf4j-java. CVE-2018-8088[0]: | org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before | 1.8.0-beta2 allows remote attackers to bypass intended access | restrictions via crafted data. Unfortunately upstream does not tell us much on the security issue. [1] itself and the subtask [2] only tells us that the EventData is going to be marked first as deprecated (then removed) "due to a security vulnerability" [3]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-8088 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088 [1] https://jira.qos.ch/browse/SLF4J-430 [2] https://jira.qos.ch/browse/SLF4J-430 [3] https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405 Please adjust the affected versions in the BTS as needed. that all earlier versions are affected. Regards, Salvatore __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
