Bug 23721

Summary: logback new security issue CVE-2017-5929
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: logback-1.1.7-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-10-17 23:27:59 CEST 
RedHat has fixed a security issue in logback in Satellite 6.4:
https://access.redhat.com/errata/RHSA-2018:2927

The issue is fixed upstream in 1.2.0.

Mageia 6 is also affected.
David Walser 2018-10-17 23:28:05 CEST

Whiteboard: (none) => MGA6TOO

David Walser 2019-02-03 02:40:58 CET

Status comment: (none) => Fixed upstream in 1.2.0

Comment 1 David GEIGER 2019-02-03 21:30:31 CET 
Fixed both Cauldron and mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-02-03 21:36:45 CET 
Advisory:
========================

Updated logback packages fix security vulnerability:

It was found that logback is vulnerable to a deserialization issue. Logback can
be configured to allow remote logging through SocketServer/ServerSocketReceiver
interfaces that can accept untrusted serialized data. Authenticated attackers
on the adjacent network can leverage this vulnerability to execute arbitrary
code through deserialization of custom gadget chains (CVE-2017-5929).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
https://bugzilla.redhat.com/show_bug.cgi?id=1432858
========================

Updated packages in core/updates_testing:
========================
logback-1.1.3-2.1.mga6
logback-javadoc-1.1.3-2.1.mga6
logback-access-1.1.3-2.1.mga6
logback-examples-1.1.3-2.1.mga6

from logback-1.1.3-2.1.mga6.src.rpm

Version: Cauldron => 6
Status comment: Fixed upstream in 1.2.0 => (none)
Whiteboard: MGA6TOO => (none)
Assignee: java => qa-bugs

Comment 3 Herman Viaene 2019-02-07 09:48:48 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Installed cleanly, chased around to find some easy example, but this seems to be a java library which requires some additional code and configuration file to get anything working.
I propose to OK on clean install unless someone has a better idea.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 4 Dave Hodgins 2019-02-14 06:54:34 CET 
Advisory committed to svn. Validating based on comment 3.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2019-02-14 09:40:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0079.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED