[SECURITY] [DLA 888-1] logback security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 888-1] logback security update
From: Markus Koschany <apo@debian.org>
Date: Sat, 8 Apr 2017 00:12:15 +0200
Message-id: <[🔎] 8ddb9465-707e-97a7-fec0-a2fda7c6b81b@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : logback
Version        : 1:1.0.4-1+deb7u1
CVE ID         : CVE-2017-5929
Debian Bug     : 857343

It was discovered that logback, a flexible logging library for Java,
would deserialize data from untrusted sockets which may lead to the
execution of arbitrary code. This issue has been resolved by adding a
whitelist to use only trusted classes.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.0.4-1+deb7u1.

We recommend that you upgrade your logback packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljoDr9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTeSg//UMPFNLuKlU4rZ1HI5l//U8tgza7w1Os54Wx8phtil+Hny0vVOYicOUZN
nhnckpF9DwIcOkf35AAf7+7RE9+AFFOMJttsUI1xQy+hzfQHK9kJDq1JGZPB8l7s
nJBAfB6PNx869CF9XEsc5rFwuMqYtiCbW+6IJgrUQs61zBHRTApRAjPGvaUAZ3T/
tDURQT5YekSY6I21fepl8sIeTE5IxAJm7PYOnpuIQ9+TLBZBaFYmKJdMrjWHbq5P
l/rVTsniGEXd8O+8F7OQVnGci9RbIJeELDjTBi+OCfcF8HAtI6MUsE3cZqGXD8+n
769pSgjTAsxkczQjjle8KhXBwUnPvz/2lFeWi7wJ7puusWraQ8Qvtq6iJLOIGntg
K3viXnmGTQ0U6SYE4pKZ5z4SOCWWDtwixKFwoOPT06i2S6Uorjx6esoPTiLj1k+b
2Wcm180dqiF71qMkjmTzNmgoItzW1Es8bkNkPZZ8hv8aRUOQkmsy31/TBCIWKaie
XUf77S3Z/Q+uc9b+fgsFZgFBNzT468FlBpDiG3cWGmZax0oN7s8hZVcUqmiYTZ2v
ItCxkeBVu7QVBEpWUtTSMP4Ln5FPIxO3UtMUU0H6V0VAw5Rx6U7QxNk3oS5uWpn2
EJzVEotQCkC2Khd02bXVQThGAR9kG+9IZjE0+7G/0QombqyMRIE=
=awwu
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 887-1] libdatetime-timezone-perl new upstream version
Next by Date: [SECURITY] [DLA 889-1] potrace security update
Previous by thread: [SECURITY] [DLA 887-1] libdatetime-timezone-perl new upstream version
Next by thread: [SECURITY] [DLA 889-1] potrace security update
Index(es):
- Date
- Thread