Hello, I am currently investigating CVE-2017-5829. According to [1] release 1.2.0 resolved the issue and [2] contains an overview about related commits for this version. In Debian we would like to fix this security vulnerability by backporting the necessary changes only. What are the fixing commits for CVE-2017-5929? To me it looks like "harden serialization", "correct package name", "Harden reading from ObjectInputStream" and "fix test failures" are relevant but it might also be possible that only "harden serialization" is sufficient. Could you clarify this information please? Please also consider to update your news page with this information which would simplify the job for other security researchers and Linux distributions to quickly address this issue. Regards, Markus Koschany [1] https://logback.qos.ch/news.html [2] https://github.com/qos-ch/logback/commits/v_1.2.0