Accepted apache-log4j2 2.16.0-1 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Dec 2021 02:38:06 +0100
Source: apache-log4j2
Architecture: source
Version: 2.16.0-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 1001729
Changes:
apache-log4j2 (2.16.0-1) unstable; urgency=high
.
* Team upload.
* New upstream version 2.16.0.
- Fix CVE-2021-45046:
It was found that the fix to address CVE-2021-44228 in Apache Log4j
2.15.0 was incomplete in certain non-default configurations. This could
allow attackers with control over Thread Context Map (MDC) input data
when the logging configuration uses a non-default Pattern Layout with
either a Context Lookup (for example, $${ctx:loginId}) or a Thread
Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data
using a JNDI Lookup pattern resulting in a denial of service (DOS)
attack.
Thanks to Salvatore Bonaccorso for the report. (Closes: #1001729)
Checksums-Sha1:
84452ae9920e07498d190f23dbb352de07cec021 3019 apache-log4j2_2.16.0-1.dsc
29ed458aa60e1821908564fd66438c6e9206e282 1285464 apache-log4j2_2.16.0.orig.tar.xz
b00e68c97b8d86f9a0320fc5e505382862693ac2 7424 apache-log4j2_2.16.0-1.debian.tar.xz
c4a092f6a451e43d3a1bebe5f30d9c391ad8e20f 14600 apache-log4j2_2.16.0-1_amd64.buildinfo
Checksums-Sha256:
0303d3a9221df4a1f8d71c6192fab55df6b7e3129d0ce1f0a05fa1b346b011e1 3019 apache-log4j2_2.16.0-1.dsc
d36a7556e7027819aaceef02838dcfaa3dd368f74f92b9585b2b6a442eb2194f 1285464 apache-log4j2_2.16.0.orig.tar.xz
bac5638d94b45cb184a15a7ae1e21f9b2facd58671a3cc78a5a83bc97d5037e5 7424 apache-log4j2_2.16.0-1.debian.tar.xz
679bf0ff52a54ccb8d8b48b26e7248bd2bb9b192819d29c99935c81aead9f687 14600 apache-log4j2_2.16.0-1_amd64.buildinfo
Files:
6db3941ea2f5e950f40eb254127ecb1b 3019 java optional apache-log4j2_2.16.0-1.dsc
d7a5e122b9ff61c6272c62347b25986b 1285464 java optional apache-log4j2_2.16.0.orig.tar.xz
4ba7944a2006edf1a742a03cf1a24bf2 7424 java optional apache-log4j2_2.16.0-1.debian.tar.xz
0196f7afd4acc39fc3c392ca44e261f7 14600 java optional apache-log4j2_2.16.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG5SFpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkXuQP/Ag0g9Wx4umWdxrxyM7px1yz8RyhNgJMSMzc
/xWy6JLS7dltGYfyh3uzlcnxWjudAJ2X3lRYl7fTEu/S6lVpypSs3BsYci3PcZft
ePzM0G/W+B3cHiE452CTDgUqU+fH76HeMQq2Z4vOlsq2pzHohoHAuuMhdo5gAd46
zsxtOBCtXlHpOgJc8EEmCUoC/60aDQ8uy7s8bWhJ7oJvJNIr0iT4BnOoZzaihVzN
9ioUEUfHeiaMBqXYoIWpZZrAAte1ZDVD+5EPEXY8OoygsDOaaLtJZxFJhfhuwOut
E34XeR9RcWsk7vmdeQri+dQlAOaTSaMwJkBUeu14khzLXX34uoJUeAJZAQxXQuSn
UFNOFMUQt4oqHTjurW7KjMRqrqdHjtfjbhIwnSHnAfrJXbink4tiUbj1ozmi9CKX
VRVsMKWFhvvPKAphXxfVpV137Ky72TZP/OuOjprNly5WzncYhfHfIxVpcRTo4YLB
aHp+vkUNat51SPmMOZH6MNhEVqlAavapwb2Of6nxuDsj2WYVjHDW6qYs7ZfO0Xxm
DgqyHLribMGf31agzVG1cjXr/4fQk++NfB+YPMWJS3AXmdMHv/vBzf9cynTwfsfn
T7PO7FJOlP4kNJ3ebxLLTSGaH/WZh7Kz0JQq24EHqHBS68jA+cmiTdjm7fbTC06v
FU/IaJ7+
=P7V6
-----END PGP SIGNATURE-----