CVE-2017-5929

NameCVE-2017-5929
DescriptionQOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-888-1
Debian Bugs857343

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
logback (PTS)jessie1:1.1.2-1+deb8u1fixed
stretch1:1.1.9-3fixed
buster1:1.2.3-5fixed
bullseye1:1.2.3-6fixed
bookworm1:1.2.11-3fixed
sid, trixie1:1.2.11-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
logbacksourcewheezy1:1.0.4-1+deb7u1DLA-888-1
logbacksourcejessie1:1.1.2-1+deb8u1
logbacksource(unstable)1:1.1.9-3857343

Notes

https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9
https://github.com/qos-ch/logback/commit/7fbea6127fa98fc48368ca5e8540eefe0e60cec5
https://github.com/qos-ch/logback/commit/3b4f605454534b304770eeee3cb343521fcd6968
Information asked about complete patchset to fix CVE-2017-5929: http://mailman.qos.ch/pipermail/logback-user/2017-March/004875.html
Search for package or bug name: Reporting problems