Bug 23721 - logback new security issue CVE-2017-5929
Summary: logback new security issue CVE-2017-5929
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-17 23:27 CEST by David Walser
Modified: 2019-02-14 09:40 CET (History)
4 users (show)

See Also:
Source RPM: logback-1.1.7-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-17 23:27:59 CEST
RedHat has fixed a security issue in logback in Satellite 6.4:
https://access.redhat.com/errata/RHSA-2018:2927

The issue is fixed upstream in 1.2.0.

Mageia 6 is also affected.
David Walser 2018-10-17 23:28:05 CEST

Whiteboard: (none) => MGA6TOO

David Walser 2019-02-03 02:40:58 CET

Status comment: (none) => Fixed upstream in 1.2.0

Comment 1 David GEIGER 2019-02-03 21:30:31 CET
Fixed both Cauldron and mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-02-03 21:36:45 CET
Advisory:
========================

Updated logback packages fix security vulnerability:

It was found that logback is vulnerable to a deserialization issue. Logback can
be configured to allow remote logging through SocketServer/ServerSocketReceiver
interfaces that can accept untrusted serialized data. Authenticated attackers
on the adjacent network can leverage this vulnerability to execute arbitrary
code through deserialization of custom gadget chains (CVE-2017-5929).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
https://bugzilla.redhat.com/show_bug.cgi?id=1432858
========================

Updated packages in core/updates_testing:
========================
logback-1.1.3-2.1.mga6
logback-javadoc-1.1.3-2.1.mga6
logback-access-1.1.3-2.1.mga6
logback-examples-1.1.3-2.1.mga6

from logback-1.1.3-2.1.mga6.src.rpm

Assignee: java => qa-bugs
Whiteboard: MGA6TOO => (none)
Status comment: Fixed upstream in 1.2.0 => (none)
Version: Cauldron => 6

Comment 3 Herman Viaene 2019-02-07 09:48:48 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Installed cleanly, chased around to find some easy example, but this seems to be a java library which requires some additional code and configuration file to get anything working.
I propose to OK on clean install unless someone has a better idea.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Dave Hodgins 2019-02-14 06:54:34 CET
Advisory committed to svn. Validating based on comment 3.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2019-02-14 09:40:18 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0079.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.