subject:"Bug#857343\: closed by Markus Koschany \(Bug#857343\: fixed in logback 1\:1.1.9\-2\)"

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

2017-04-04 Thread Markus Koschany

Am 01.04.2017 um 08:20 schrieb Fabrice Dagorn: > The POC is a simple Eclipse java project. > > UnsafeReceiver will open a ServerSocketReceiver on port and wait > forever. > > Injector will then open a client Socket to the ServerSocketReceiver and > serialize a Calculator instance through the

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Fabrice Dagorn

The POC is a simple Eclipse java project. UnsafeReceiver will open a ServerSocketReceiver on port and wait forever. Injector will then open a client Socket to the ServerSocketReceiver and serialize a Calculator instance through the wire. Calculator implements ILoggingEvent to prevent C

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Markus Koschany

Am 31.03.2017 um 08:10 schrieb Fabrice Dagorn: > Hi, > I have made a quick and dirty POC for this issue. > This results in a remote code execution in the JVM that exposes a > ServerSocketReceiver. > > Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x. > > The POC is available on de

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Markus Koschany

You could also attach the POC to this bug report. The vulnerability is publicly known by now anyway. Markus signature.asc Description: OpenPGP digital signature

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-30 Thread Fabrice Dagorn

Hi, I have made a quick and dirty POC for this issue. This results in a remote code execution in the JVM that exposes a ServerSocketReceiver. Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x. The POC is available on demand. Regards, Fabrice Dagorn

Processed: Re: Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-29 Thread Debian Bug Tracking System

Processing control commands: > reopen -1 Bug #857343 {Done: Markus Koschany } [liblogback-java] logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components Bug #858914 {Done: Markus Koschany } [liblogback-java] CVE-2017-5929: serialization

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-29 Thread Markus Koschany

Control: reopen -1 Am 29.03.2017 um 08:11 schrieb Fabrice Dagorn: > Thank you for your upload. > > But i think that the issue is not completely solved, upstream made it in > several commits (https://github.com/qos-ch/logback/commits/v_1.2.0). > > The comment is not meaningful but this one is rel

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-28 Thread Fabrice Dagorn

Thank you for your upload. But i think that the issue is not completely solved, upstream made it in several commits (https://github.com/qos-ch/logback/commits/v_1.2.0). The comment is not meaningful but this one is related to the vulnerability : https://github.com/qos-ch/logback/commit/979b0

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

Processed: Re: Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany (Bug#857343: fixed in logback 1:1.1.9-2)

8 matches

Site Navigation

Mail list logo

Footer information