Control: retitle -1 logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components
Hi Markus, On Tue, Mar 28, 2017 at 09:41:30AM +0200, Markus Koschany wrote: > Hello security team, > > apparently logback < 1.2.0 is vulnerable to a deserialization issue. > They announced it on February 8th 2017 but it appears no CVE has been > assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is > the same issue as CVE-2015-6420 but I cannot verify that at the moment. > Would you like to request a CVE id or shall I take care of it? There apparently was a mistake on triaging CVE-2017-5929. This should be: https://security-tracker.debian.org/tracker/CVE-2017-5929 I fixed the tracker entry and it should display the correct information on the next update. Regards, Salvatore
