[logback-user] Please clarify fixing commits for CVE-2017-5929

Markus Koschany apo at debian.org
Wed Mar 29 11:03:38 CEST 2017


I am currently investigating CVE-2017-5829. According to [1] release
1.2.0 resolved the issue and [2] contains an overview about related
commits for this version. In Debian we would like to fix this security
vulnerability by backporting the necessary changes only.

What are the fixing commits for CVE-2017-5929? To me it looks like
"harden serialization", "correct package name", "Harden reading from
ObjectInputStream" and "fix test failures" are relevant but it might
also be possible that only "harden serialization" is sufficient. Could
you clarify this information please?

Please also consider to update your news page with this information
which would simplify the job for other security researchers and Linux
distributions to quickly address this issue.


Markus Koschany

[1] https://logback.qos.ch/news.html
[2] https://github.com/qos-ch/logback/commits/v_1.2.0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.qos.ch/pipermail/logback-user/attachments/20170329/c45a70ff/attachment.sig>

More information about the logback-user mailing list