Bug#858914: CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

2017-03-28 Thread Guido Günther 
On Tue, Mar 28, 2017 at 05:48:16PM +0200, Markus Koschany wrote:
> Control: forcemerge 857343 858914
> 
> Am 28.03.2017 um 17:38 schrieb Guido Günther:
> > Package: logback
> > Severity: grave
> > Tags: security
> > 
> > Hi,
> > 
> > the following vulnerability was published for logback.
> > 
> > CVE-2017-5929[0]:
> > | QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting
> > | the SocketServer and ServerSocketReceiver components.
> 
> [...]
> 
> Hi Guido,
> 
> this is a duplicate of #857343 which I am going to fix very soon.

Yeah, I noticed after filing it. Sorry for the noise and thanks for
fixing it in sid. I've also added it to dla-needed
Cheers,
 -- Guido

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#858914: CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

2017-03-28 Thread Markus Koschany 
Control: forcemerge 857343 858914

Am 28.03.2017 um 17:38 schrieb Guido Günther:
> Package: logback
> Severity: grave
> Tags: security
> 
> Hi,
> 
> the following vulnerability was published for logback.
> 
> CVE-2017-5929[0]:
> | QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting
> | the SocketServer and ServerSocketReceiver components.

[...]

Hi Guido,

this is a duplicate of #857343 which I am going to fix very soon.

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed (with 1 error): Re: Bug#858914: CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

2017-03-28 Thread Debian Bug Tracking System 
Processing control commands:

> forcemerge 857343 858914
Bug #857343 [liblogback-java] logback: CVE-2017-5929: serialization 
vulnerability affecting the SocketServer and ServerSocketReceiver components
Unable to merge bugs because:
package of #858914 is 'logback' not 'liblogback-java'
Failed to forcibly merge 857343: Did not alter merged bugs.


-- 
857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343
858914: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858914
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#858914: CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver

2017-03-28 Thread Guido Günther 
Package: logback
Severity: grave
Tags: security

Hi,

the following vulnerability was published for logback.

CVE-2017-5929[0]:
| QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting
| the SocketServer and ServerSocketReceiver components.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.