subject:"Bug#859801\: jessie\-pu\: package logback\/1\:1.1.2\-1"

Bug#859801: jessie-pu: package logback/1:1.1.2-1

2017-04-25 Thread Adam D. Barratt

Control: tags -1 + pending

On Mon, 2017-04-24 at 13:56 +0200, Markus Koschany wrote:
> Am 23.04.2017 um 22:27 schrieb Adam D. Barratt:
> > Control: tags -1 + confirmed
> > 
> > On Fri, 2017-04-07 at 15:57 +0200, Markus Koschany wrote:
> >> I have prepared a security update for logback. [1]
> >> The security team marked this issue as no-dsa hence I would like
> >> to include it in the next point-release for Jessie.
> > 
> > Please go ahead.
> > 
> > Regards,
> > 
> > Adam
> 
> Uploaded. Thank you.

Flagged for acceptance.

Regards,

Adam

Bug#859801: jessie-pu: package logback/1:1.1.2-1

2017-04-24 Thread Markus Koschany

Am 23.04.2017 um 22:27 schrieb Adam D. Barratt:
> Control: tags -1 + confirmed
> 
> On Fri, 2017-04-07 at 15:57 +0200, Markus Koschany wrote:
>> I have prepared a security update for logback. [1]
>> The security team marked this issue as no-dsa hence I would like
>> to include it in the next point-release for Jessie.
> 
> Please go ahead.
> 
> Regards,
> 
> Adam

Uploaded. Thank you.




signature.asc
Description: OpenPGP digital signature

Bug#859801: jessie-pu: package logback/1:1.1.2-1

2017-04-23 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Fri, 2017-04-07 at 15:57 +0200, Markus Koschany wrote:
> I have prepared a security update for logback. [1]
> The security team marked this issue as no-dsa hence I would like
> to include it in the next point-release for Jessie.

Please go ahead.

Regards,

Adam

Bug#859801: jessie-pu: package logback/1:1.1.2-1

2017-04-07 Thread Markus Koschany

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I have prepared a security update for logback. [1]
The security team marked this issue as no-dsa hence I would like
to include it in the next point-release for Jessie.

Thanks

Markus


[1] https://bugs.debian.org/857343
diff -Nru logback-1.1.2/debian/changelog logback-1.1.2/debian/changelog
--- logback-1.1.2/debian/changelog  2014-04-29 06:26:58.0 +0200
+++ logback-1.1.2/debian/changelog  2017-04-07 15:48:29.0 +0200
@@ -1,3 +1,13 @@
+logback (1:1.1.2-1+deb8u1) jessie; urgency=high
+
+  * Team upload.
+  * Fix CVE-2017-5929:
+It was discovered that logback, a flexible logging library for Java, would
+deserialize data from untrusted sockets. This issue has been resolved by
+adding a whitelist to use only trusted classes. (Closes: #857343)
+
+ -- Markus Koschany   Fri, 07 Apr 2017 15:48:29 +0200
+
 logback (1:1.1.2-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru logback-1.1.2/debian/patches/CVE-2017-5929.patch 
logback-1.1.2/debian/patches/CVE-2017-5929.patch
--- logback-1.1.2/debian/patches/CVE-2017-5929.patch1970-01-01 
01:00:00.0 +0100
+++ logback-1.1.2/debian/patches/CVE-2017-5929.patch2017-04-07 
15:48:29.0 +0200
@@ -0,0 +1,364 @@
+From: Markus Koschany 
+Date: Fri, 7 Apr 2017 14:35:27 +0200
+Subject: CVE-2017-5929
+
+Bug-Debian: https://bugs.debian.org/857343
+Origin: 
https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
+Origin: 
https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9
+Origin: 
https://github.com/qos-ch/logback/commit/7fbea6127fa98fc48368ca5e8540eefe0e60cec5
+Origin: 
https://github.com/qos-ch/logback/commit/3b4f605454534b3047703cb343521fcd6968
+---
+ .../access/net/HardenedAccessEventInputStream.java | 15 +
+ .../java/ch/qos/logback/access/net/SocketNode.java | 12 ++--
+ .../logback/classic/net/SimpleSocketServer.java|  1 -
+ .../ch/qos/logback/classic/net/SocketAppender.java |  2 -
+ .../ch/qos/logback/classic/net/SocketNode.java | 15 +++--
+ .../server/HardenedLoggingEventInputStream.java| 56 +
+ .../net/server/RemoteAppenderStreamClient.java | 10 +--
+ .../core/net/HardenedObjectInputStream.java| 71 ++
+ 8 files changed, 159 insertions(+), 23 deletions(-)
+ create mode 100644 
logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
+ create mode 100644 
logback-classic/src/main/java/ch/qos/logback/classic/net/server/HardenedLoggingEventInputStream.java
+ create mode 100644 
logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
+
+diff --git 
a/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
 
b/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
+new file mode 100644
+index 000..c0ba6b0
+--- /dev/null
 
b/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
+@@ -0,0 +1,15 @@
++package ch.qos.logback.access.net;
++
++import java.io.IOException;
++import java.io.InputStream;
++
++import ch.qos.logback.access.spi.AccessEvent;
++import ch.qos.logback.core.net.HardenedObjectInputStream;
++
++public class HardenedAccessEventInputStream extends HardenedObjectInputStream 
{
++
++public HardenedAccessEventInputStream(InputStream in) throws IOException {
++super(in, new String[] {AccessEvent.class.getName(), 
String[].class.getName()});
++}
++
++}
+diff --git 
a/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java 
b/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
+index 32c6654..7db96a3 100644
+--- a/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
 b/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
+@@ -15,7 +15,6 @@ package ch.qos.logback.access.net;
+ 
+ import java.io.BufferedInputStream;
+ import java.io.IOException;
+-import java.io.ObjectInputStream;
+ import java.net.Socket;
+ 
+ import ch.qos.logback.access.spi.AccessContext;
+@@ -42,16 +41,15 @@ public class SocketNode implements Runnable {
+ 
+   Socket socket;
+   AccessContext context;
+-  ObjectInputStream ois;
++  HardenedAccessEventInputStream hardenedOIS;
+ 
+   public SocketNode(Socket socket, AccessContext context) {
+ this.socket = socket;
+ this.context = context;
+ try {
+-  ois = new ObjectInputStream(new BufferedInputStream(socket
+-  .getInputStream()));
++hardenedOIS = new HardenedAccessEventInputStream(new 
BufferedInputStream(socket.getInputStream()));
+ } catch (Exception e) {
+-  System.out.println("Could not open ObjectInputStream to " + socket + e);
++  System.out.println("Could not open HardenedObjectInputStream

Bug#859801: jessie-pu: package logback/1:1.1.2-1

Bug#859801: jessie-pu: package logback/1:1.1.2-1

Bug#859801: jessie-pu: package logback/1:1.1.2-1

Bug#859801: jessie-pu: package logback/1:1.1.2-1

4 matches

Site Navigation

Mail list logo

Footer information