Back to apache-log4j2 PTS page

Accepted apache-log4j2 2.17.0-1 (source) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted apache-log4j2 2.17.0-1 (source) into unstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 18 Dec 2021 18:18:44 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1myeI8-000EYM-B1@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 Dec 2021 17:09:22 +0100
Source: apache-log4j2
Architecture: source
Version: 2.17.0-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 1001891
Changes:
 apache-log4j2 (2.17.0-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream version 2.17.0.
     - Fix CVE-2021-45105:
       Apache Log4j2 did not protect from uncontrolled recursion from
       self-referential lookups. When the logging configuration uses a
       non-default Pattern Layout with a Context Lookup (for example,
       $${ctx:loginId}), attackers with control over Thread Context Map (MDC)
       input data can craft malicious input data that contains a recursive
       lookup, resulting in a denial of service. (Closes: #1001891)
       Thanks to Salvatore Bonaccorso for the report.
Checksums-Sha1:
 0d171b8f17b5283c1256f1057434ec549c48f180 3019 apache-log4j2_2.17.0-1.dsc
 24838ff3852d4043c5337b090c501698360eef85 1287192 apache-log4j2_2.17.0.orig.tar.xz
 1be40de7bb76e481450500ac0e0cecae49d6f5c7 7512 apache-log4j2_2.17.0-1.debian.tar.xz
 b328759a2b88bf9b61cca1d9653a4266efccf5b5 14605 apache-log4j2_2.17.0-1_amd64.buildinfo
Checksums-Sha256:
 44e3a04ac63579338c8e9b5c59850898e76a307bcf8271303447afa62c197f81 3019 apache-log4j2_2.17.0-1.dsc
 7c9a8976f9672bf7cc31ded21b2dddc5f6a3cee4621e53dfe5aab65ef82eae24 1287192 apache-log4j2_2.17.0.orig.tar.xz
 54b041799a600845d65c97ecf35e41c4129b5dbfee68f9cd96b1b1d60b49e615 7512 apache-log4j2_2.17.0-1.debian.tar.xz
 1667ee35ec38a88d8f061b75f90310c2c30f3508d807fd4049c0b2c3371ba69b 14605 apache-log4j2_2.17.0-1_amd64.buildinfo
Files:
 6d558abdcd0854507226750b2f16efa4 3019 java optional apache-log4j2_2.17.0-1.dsc
 61eb8d0690bb3f95ec55ec6eeb0c27ad 1287192 java optional apache-log4j2_2.17.0.orig.tar.xz
 05b20bec8c21bb309cfb96cf062649d5 7512 java optional apache-log4j2_2.17.0-1.debian.tar.xz
 b5c3c482cc77bd84bf57fcb14b8b063c 14605 java optional apache-log4j2_2.17.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG+IBRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkyoMP/1VnBa1nsnwiKM4datS0eeVuo9+vaBp9rDI+
YjwCB9FH78d6vD6OgS3pnb8yRhOR1Q57BX4qRx3D4r8M3Cqy5ouQLhuCXWMnFwAh
aDm+Wd+eOp3kWFr7HGjLXmaAAf4F3Jx6NULCO/DIVS4dYgX910vlh1Y540/uVAPS
1Kr+H6yyTwOFhOh37IOcCiFEt4QTPv4wxNxIeKVq3DqWAwVUnH2KNEAzOw2AoeQE
7oiyFKXwEDdYVLLSTpcMUpRdEU7kSKOf/kku6I1N8B2SWSns8B0sKPST9uT26aUV
KZ5XyWm/uazAAEcmt1ngsqBbBEuBKUOFCdPg206DmgSEpg2WtlZyDDw1HfCkGn3u
nqvqRe0kHogZ745tr4WebiHQAtABS7icaDMgXGrmFxfPOorRhFBjmAorx5fOi666
i7eoN+pdsJx3WV0znRMK4hlD7F7e5mCCxlguyxqQT6EMMu2WIe5257GrCQ3BOmyy
mbTnhbgJqDwru+Zwkw+98DrF1bYfMb1xvEf/j5f/XZCsR7BXROFozTL7yHc5G+wO
8C1KRlqs9Zq62A+P/DtVa2OItc5WcL5AKud24gOzd8aV9acYHDpVLanWWt+GoBV+
iSgsTJJ3IXPSOl9YYqNHF0fbdSUO+uVpWLNB3gEEAqlJyZ6b3THb+rgVadNYReTp
LcS0i7sz
=5t+i
-----END PGP SIGNATURE-----