[logback-user] Please clarify fixing commits for CVE-2017-5929
apo at debian.org
Wed Mar 29 11:03:38 CEST 2017
I am currently investigating CVE-2017-5829. According to  release
1.2.0 resolved the issue and  contains an overview about related
commits for this version. In Debian we would like to fix this security
vulnerability by backporting the necessary changes only.
What are the fixing commits for CVE-2017-5929? To me it looks like
"harden serialization", "correct package name", "Harden reading from
ObjectInputStream" and "fix test failures" are relevant but it might
also be possible that only "harden serialization" is sufficient. Could
you clarify this information please?
Please also consider to update your news page with this information
which would simplify the job for other security researchers and Linux
distributions to quickly address this issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 963 bytes
Desc: OpenPGP digital signature
More information about the logback-user