Back to apache-log4j2 PTS page

Accepted apache-log4j2 2.12.4-0+deb9u1 (source) into oldoldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted apache-log4j2 2.12.4-0+deb9u1 (source) into oldoldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 29 Dec 2021 22:30:14 +0000
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1n2hSY-0003mY-Bc@seger.debian.org>
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 29 Dec 2021 23:15:15 CET
Source: apache-log4j2
Binary: liblog4j2-java
Architecture: source
Version: 2.12.4-0+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 liblog4j2-java - Apache Log4j - Logging Framework for Java
Checksums-Sha1:
 f87a100c103b8320a0c2af0a83dbb0d08d2bee7f 3024 apache-log4j2_2.12.4-0+deb9u1.dsc
 4afd053339d0f7a1e6c05f084c9a122a5d79c40c 1118624 apache-log4j2_2.12.4.orig.tar.xz
 46814384e20ab11d58338d264be14957b35a2833 6900 apache-log4j2_2.12.4-0+deb9u1.debian.tar.xz
 e8321d4499db370f30dd840392b96c22ab0d5134 17215 apache-log4j2_2.12.4-0+deb9u1_amd64.buildinfo
Checksums-Sha256:
 8085d9dbefab8abfb8b54ab9dcc7c743caecdae95544f55aa2dbbbe6ba360baa 3024 apache-log4j2_2.12.4-0+deb9u1.dsc
 6feb536106edb3d66ea0a1feed3ec9d84ee04d3cc6d9b92484a745cd4d3c404d 1118624 apache-log4j2_2.12.4.orig.tar.xz
 ce94f64ebcdbe8202f32c5db653ef53f39f8233a452454434277e8897b3775df 6900 apache-log4j2_2.12.4-0+deb9u1.debian.tar.xz
 183acb4efd692a95df52bee51619ef749e6a0925f72dcae5f4c3ed48b5e27ffb 17215 apache-log4j2_2.12.4-0+deb9u1_amd64.buildinfo
Changes:
 apache-log4j2 (2.12.4-0+deb9u1) stretch-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2021-44832:
     Apache Log4j2 is vulnerable to a remote code execution (RCE) attack where
     an attacker with permission to modify the logging configuration file can
     construct a malicious configuration using a JDBC Appender with a data
     source referencing a JNDI URI which can execute remote code. This issue is
     fixed by limiting JNDI data source names to the java protocol.
Files:
 0a921e3c34d251dbb6278e475dba3f64 3024 java optional apache-log4j2_2.12.4-0+deb9u1.dsc
 c3d22e5ac8040eaf95832417a9fd0064 1118624 java optional apache-log4j2_2.12.4.orig.tar.xz
 e001cfe33023e5b628871f8d651ef97e 6900 java optional apache-log4j2_2.12.4-0+deb9u1.debian.tar.xz
 1c002daae2b591c63153842b273ab66a 17215 java optional apache-log4j2_2.12.4-0+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmHM3gBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk18AP/jGqkYwY9GhJULtNzKKiau70F9/5d3dNP4XX
0q9kmdz0/a2+lC544JvbvQdDtZzT/KK2+GN11A6S0OfOazZO0cW89WberZpqEUk2
qLc/rnIxmqOK6K8GjuqI0eOqZ/SG44ZZwq9Ixrvj53RlDUwOypn8ezQHxBYKTCXy
8fJO1+u8mv2muGbAarMSFUb3VYqzxNrVk+I2iKIeuGLOAD895Y8BkFIq3PTN1OcV
oLxYa2jMEEZPQvaSAQ1qmdsj5pm8WN+Zsed00rVCrtqiWNMY48Xq2TJjkasfczbU
vRjzbHlJ/On0eQPsJZkRgKMv4L5Bo0CD1zPM39SemuleJWtBmMQt2if+/mj5nhiQ
M+8PB8bm5TLZGRpQruQe72K7KyQ0aM/xHmJAkwgy+7BHlEwZA8+VvpXI7IY3tYLH
YqjDej8dEP3lhUsbNQ+gmWAxgoO7iGQfHvCVFY+xemBc44uncHRFjlr6Ngv2+/K5
B0o8SD/ApbWi0cO+8Hlo3noj+q2JnaEbvgfSOYm9n858xvMSwTG9t83xKvldcBbz
8ICzZSq5soRsW/JZC90cYhjQ2KWqmPfPOBMD+6OdDUNsVn34rvA2kPJU1XZQ+mRu
9mP3eF3yC3kS15og+QROLfTOj4UcF/4QMPhyWPICP3AjCSakE6vQRz/Mwd4nfo0G
gJhMwoC8
=i28w
-----END PGP SIGNATURE-----