RedHat has fixed a security issue in logback in Satellite 6.4: https://access.redhat.com/errata/RHSA-2018:2927 The issue is fixed upstream in 1.2.0. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 1.2.0
Fixed both Cauldron and mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated logback packages fix security vulnerability: It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains (CVE-2017-5929). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929 https://bugzilla.redhat.com/show_bug.cgi?id=1432858 ======================== Updated packages in core/updates_testing: ======================== logback-1.1.3-2.1.mga6 logback-javadoc-1.1.3-2.1.mga6 logback-access-1.1.3-2.1.mga6 logback-examples-1.1.3-2.1.mga6 from logback-1.1.3-2.1.mga6.src.rpm
Version: Cauldron => 6Status comment: Fixed upstream in 1.2.0 => (none)Whiteboard: MGA6TOO => (none)Assignee: java => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Installed cleanly, chased around to find some easy example, but this seems to be a java library which requires some additional code and configuration file to get anything working. I propose to OK on clean install unless someone has a better idea.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Advisory committed to svn. Validating based on comment 3.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0079.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED