Name | CVE-2017-5929 |
Description | QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-888-1 |
Debian Bugs | 857343 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
logback (PTS) | bullseye | 1:1.2.3-6 | fixed |
| bookworm | 1:1.2.11-3 | fixed |
| trixie | 1:1.2.11-5 | fixed |
| sid | 1:1.2.11-6 | fixed |
The information below is based on the following data on fixed versions.
Notes
https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9
https://github.com/qos-ch/logback/commit/7fbea6127fa98fc48368ca5e8540eefe0e60cec5
https://github.com/qos-ch/logback/commit/3b4f605454534b304770eeee3cb343521fcd6968
Information asked about complete patchset to fix CVE-2017-5929: http://mailman.qos.ch/pipermail/logback-user/2017-March/004875.html