Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package log4j for openSUSE:Factory checked
in at 2021-12-16 21:18:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/log4j (Old)
and /work/SRC/openSUSE:Factory/.log4j.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "log4j"
Thu Dec 16 21:18:56 2021 rev:33 rq:940844 version:2.16.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/log4j/log4j.changes 2021-12-16
02:01:13.363643417 +0100
+++ /work/SRC/openSUSE:Factory/.log4j.new.2520/log4j.changes 2021-12-16
21:19:32.674526544 +0100
@@ -7,2 +7,4 @@
- - Create module log4j-mongodb4 to use new major version 4 MongoDB driver.
- - More flexible configuration of the Disruptor WaitStrategy. Thanks to
Stepan Gorban.
+ - Create module log4j-mongodb4 to use new major version 4
+ MongoDB driver.
+ - More flexible configuration of the Disruptor WaitStrategy.
+ Thanks to Stepan Gorban.
@@ -11,10 +13,13 @@
- Log4j 2.15.0 was incomplete in certain non-default configurations.
- This could allows attackers with control over Thread Context Map (MDC)
- input data when the logging configuration uses a Pattern Layout with
- either a Context Lookup (for example, $${ctx:loginId}) or a Thread
- Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data
- using a JNDI Lookup pattern resulting in a denial of service (DOS)
attack.
- Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default.
- Note that previous mitigations involving configuration such as setting
the
- system property log4j2.noFormatMsgLookup to true do NOT mitigate this
- specific vulnerability.
+ Log4j 2.15.0 was incomplete in certain non-default
+ configurations.
+ This could allows attackers with control over Thread Context
+ Map (MDC) input data when the logging configuration uses a
+ Pattern Layout with either a Context Lookup (for example,
+ $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or
+ %MDC) to craft malicious input data using a JNDI Lookup
+ pattern resulting in a denial of service (DOS) attack.
+ Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by
+ default. Note that previous mitigations involving
+ configuration such as setting the system property
+ log4j2.noFormatMsgLookup to true do NOT mitigate this specific
+ vulnerability.
@@ -23,3 +28,13 @@
- * Drop CVE-2021-44228.patch included upstream
- * To make the bots happy this stream isn't affected by bsc#1193662
CVE-2021-4104 which is
- 1.X only
+ * Drop CVE-2021-44228.patch and disable-jndi-by-default.patch
+ included upstream
+ * To make the bots happy this stream isn't affected by
+ bsc#1193662 CVE-2021-4104 which is 1.X only
+
+-------------------------------------------------------------------
+Tue Dec 14 17:43:26 UTC 2021 - Peter Simons <[email protected]>
+
+- Apply "disable-jndi-by-default.patch" to disable JNDI support by
+ default. There is evidence that the previous upstream fix for
+ CVE-2021-44228 did not solve the vulnerability entirely. Since
+ JNDI support is ususally not required, upstream recommends this
+ route to be completely safe. [bsc#1193611, CVE-2021-44228]
@@ -125,0 +141 @@
+ * log4j-CVE-2020-9488.patch
@@ -127,0 +144,7 @@
+
+-------------------------------------------------------------------
+Mon Apr 27 11:21:57 UTC 2020 - Pedro Monreal Gonzalez
<[email protected]>
+
+- Security fix: [bsc#1170535, CVE-2020-9488]
+ * Improper validation of certificate with host mismatch in SMTP appender.
+- Add log4j-CVE-2020-9488.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
