(logging-site) 01/01: Proofread CVE fix versions

Sun, 17 Aug 2025 04:08:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

pkarwasz pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-site.git

commit e5a66b79acdec0ea85ac2e26ae8e1f90d42eef9d
Author: buildbot <us...@infra.apache.org>
AuthorDate: Sun Aug 17 11:05:14 2025 +0000

    Proofread CVE fix versions
    
    This PR double checks which Log4j Core versions resolved which 
vulnerabilities.
    
    **https://github.com/advisories/GHSA-fxph-q3j8-mv87** / **CVE-2017-5645** 
(server class) was never fixed, the TCP/UDP socket server is still there.
    
    **https://github.com/advisories/GHSA-vwqq-5vrc-xw9h** / **CVE-2020-9488** 
(host name validation) was fixed in `2.3.2`:
    
    - 
https://github.com/apache/logging-log4j2/commit/3c62f0bea692456b1b5039d3bcc1c3e0ba65146a
    
    **https://github.com/advisories/GHSA-jfh8-c2jp-5v3q** / **CVE-2021-44228** 
(Log4Shell) was fixed in `2.3.1`:
    
    - 
https://github.com/apache/logging-log4j2/commit/be848dacbac6df30c4f32b2852e24446033ecf79
    - 
https://github.com/apache/logging-log4j2/commit/f6564bb993d547d0a371b75d869042c334bf57f0
    
    **https://github.com/advisories/GHSA-7rjr-3q55-vv33** / **CVE-2021-45046** 
(Log4Shell through recursive lookup evaluation) was fixed in `2.3.1`:
    
    - 
https://github.com/apache/logging-log4j2/commit/f6564bb993d547d0a371b75d869042c334bf57f0
    
    **https://github.com/advisories/GHSA-p6xc-xr62-6r2g** / **CVE-2021-45105** 
(DoS through recursive lookup evaluation) was fixed in `2.3.1`:
    
    - 
https://github.com/apache/logging-log4j2/commit/ce6b78d082aae89089cb3ad25cdd46e9ec70a70b
    
    **https://github.com/advisories/GHSA-8489-44mv-ggj8** / **CVE-2021-44832** 
(RCE if you have access to application classpath/configuration) was fixed in 
`2.3.1`:
    
    - 
https://github.com/apache/logging-log4j2/commit/f6564bb993d547d0a371b75d869042c334bf57f0
    
    **https://github.com/advisories/GHSA-vwqq-5vrc-xw9h** / **CVE-2020-9488** 
(host name validation) was fixed in `2.12.3`:
    
    - 
https://github.com/apache/logging-log4j2/commit/2bcba12b185200b7f3f2532cbfeff1e1da0d5c81
    - 
https://github.com/apache/logging-log4j2/commit/bb94ea9fa921a61f90b6a934600567e719419ddd
    
    **https://github.com/advisories/GHSA-jfh8-c2jp-5v3q** / **CVE-2021-44228** 
(Log4Shell) was fixed in `2.12.2`:
    
    - 
https://github.com/apache/logging-log4j2/commit/70edc233343815d5efa043b54294a6fb065aa1c5
    - 
https://github.com/apache/logging-log4j2/commit/f819c83804152cb6ed94cb408302e36b21b65053
    
    **https://github.com/advisories/GHSA-7rjr-3q55-vv33** / **CVE-2021-45046** 
(Log4Shell through recursive lookup evaluation) was fixed in `2.12.3`:
    
    - 
https://github.com/apache/logging-log4j2/commit/bf8ba18f63ab9f9ffd54387c5c527ecc7a681037
    
    **https://github.com/advisories/GHSA-p6xc-xr62-6r2g** / **CVE-2021-45105** 
(DoS through recursive lookup evaluation) was fixed in `2.12.3`:
    
    - 
https://github.com/apache/logging-log4j2/commit/bf7e916df6335713fe2219c7b3b523fb509deabc
    
    **https://github.com/advisories/GHSA-8489-44mv-ggj8** / **CVE-2021-44832** 
(RCE if you have access to application classpath/configuration) was fixed in 
`2.12.3`:
    
    - 
https://github.com/apache/logging-log4j2/commit/bf8ba18f63ab9f9ffd54387c5c527ecc7a681037
    
    **Note**: Unless I am mistaken, version `2.12.4` didn't contain any 
security updates.
    
    **https://github.com/advisories/GHSA-jfh8-c2jp-5v3q** / **CVE-2021-44228** 
(Log4Shell) was fixed in `2.15.0`:
    
    - 
https://github.com/apache/logging-log4j2/commit/c77b3cb39312b83b053d23a2158b99ac7de44dd3
    - 
https://github.com/apache/logging-log4j2/commit/001aaada7dab82c3c09cde5f8e14245dc9d8b454
    
    **https://github.com/advisories/GHSA-7rjr-3q55-vv33** / **CVE-2021-45046** 
(Log4Shell through recursive lookup evaluation) was fixed in `2.16.0`:
    
    - 
https://github.com/apache/logging-log4j2/commit/c362aff473e9812798ff8f25f30a2619996605d5
    - 
https://github.com/apache/logging-log4j2/commit/27972043b76c9645476f561c5adc483dec6d3f5d
    
    **https://github.com/advisories/GHSA-p6xc-xr62-6r2g** / **CVE-2021-45105** 
(DoS through recursive lookup evaluation) was fixed in `2.17.0`:
    
    - 
https://github.com/apache/logging-log4j2/commit/806023265f8c905b2dd1d81fd2458f64b2ea0b5e
    
    **https://github.com/advisories/GHSA-8489-44mv-ggj8** / **CVE-2021-44832** 
(RCE if you have access to application classpath/configuration) was fixed in 
`2.17.0`:
    
    - 
https://github.com/apache/logging-log4j2/commit/95b24f77e77e4f1e5cc794df5332643e944fd6f8
    
    **Note**: Unless I am mistaken, version `2.17.1` didn't contain any 
security updates.utomatic Site Publish by Buildbot
---
 content/feed.xml      |  2 +-
 content/security.html | 32 +++++++++++++++++++-------------
 2 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/content/feed.xml b/content/feed.xml
index 1e8eefa0..b16e80bc 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?><feed 
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/"; 
version="4.4.1">Jekyll</generator><link href="/feed.xml" rel="self" 
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" 
/><updated>2025-08-15T14:47:05+00:00</updated><id>/feed.xml</id><title 
type="html">Apache Software Foundation - Logging 
Services</title><subtitle>Write an awesome description for your new site here. 
You can edit this line in _ [...]
+<?xml version="1.0" encoding="utf-8"?><feed 
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/"; 
version="4.4.1">Jekyll</generator><link href="/feed.xml" rel="self" 
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" 
/><updated>2025-08-17T11:05:13+00:00</updated><id>/feed.xml</id><title 
type="html">Apache Software Foundation - Logging 
Services</title><subtitle>Write an awesome description for your new site here. 
You can edit this line in _ [...]
 
 <p>A <strong>Vulnerability Exploitability eXchange (VEX)</strong> is a 
machine-readable file used to indicate whether vulnerabilities in an 
application’s third-party dependencies are actually exploitable.</p>
 
diff --git a/content/security.html b/content/security.html
index e8c3ef9b..af4eabe4 100644
--- a/content/security.html
+++ b/content/security.html
@@ -458,11 +458,11 @@ We only extend this mathematical notation with set union 
operator (i.e., <code>
 </tr>
 <tr>
 <th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
affected</p></th>
-<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0, 
2.17.1)</code></p></td>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>[2.0-beta7, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 
2.17.0)</code></p></td>
 </tr>
 <tr>
 <th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for 
Java 7), or <code>2.17.1</code> (for Java 8 and later)</p></td>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for 
Java 7), or <code>2.17.0</code> (for Java 8 and later)</p></td>
 </tr>
 </tbody>
 </table>
@@ -476,7 +476,7 @@ This issue is fixed by limiting JNDI data source names to 
the <code>java</code>
 <div class="sect3">
 <h4 id="CVE-2021-44832-mitigation">Mitigation</h4>
 <div class="paragraph">
-<p>Upgrade to <code>2.3.2</code> (for Java 6), <code>2.12.4</code> (for Java 
7), or <code>2.17.1</code> (for Java 8 and later).</p>
+<p>Upgrade to <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for Java 
7), or <code>2.17.0</code> (for Java 8 and later).</p>
 </div>
 <div class="paragraph">
 <p>In prior releases confirm that if the JDBC Appender is being used it is not 
configured to use any protocol other than <code>java</code>.</p>
@@ -489,6 +489,9 @@ This issue is fixed by limiting JNDI data source names to 
the <code>java</code>
 <li>
 <p><a 
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a></p>
 </li>
+<li>
+<p><a 
href="https://issues.apache.org/jira/browse/LOG4J2-3242";>LOG4J2-3242</a></p>
+</li>
 </ul>
 </div>
 </div>
@@ -598,11 +601,11 @@ Applications using only the <code>log4j-api</code> JAR 
file without the <code>lo
 </tr>
 <tr>
 <th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
affected</p></th>
-<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 
2.17.0)</code></p></td>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 
2.16.0)</code></p></td>
 </tr>
 <tr>
 <th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for 
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for 
Java 7), and <code>2.16.0</code> (for Java 8 and later)</p></td>
 </tr>
 </tbody>
 </table>
@@ -625,7 +628,7 @@ Applications using only the <code>log4j-api</code> JAR file 
without the <code>lo
 <div class="sect3">
 <h4 id="CVE-2021-45046-mitigation">Mitigation</h4>
 <div class="paragraph">
-<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for 
Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
+<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for 
Java 7), or <code>2.16.0</code> (for Java 8 and later).</p>
 </div>
 </div>
 <div class="sect3">
@@ -673,11 +676,11 @@ Applications using only the <code>log4j-api</code> JAR 
file without the <code>lo
 </tr>
 <tr>
 <th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
affected</p></th>
-<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 
2.17.0)</code></p></td>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.2) ∪ [2.13.0, 
2.15.0)</code></p></td>
 </tr>
 <tr>
 <th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for 
Java 7), and <code>2.17.0</code> (for Java 8 and later)</p></td>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.3.1</code> (for Java 6), <code>2.12.2</code> (for 
Java 7), and <code>2.15.0</code> (for Java 8 and later)</p></td>
 </tr>
 </tbody>
 </table>
@@ -723,7 +726,7 @@ Log4j 1 configurations without <code>JMSAppender</code> are 
not impacted by this
 <div class="sect4">
 <h5 id="CVE-2021-44228-mitigation-log4j2">Log4j 2 mitigation</h5>
 <div class="paragraph">
-<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.3</code> (for 
Java 7), or <code>2.17.0</code> (for Java 8 and later).</p>
+<p>Upgrade to Log4j <code>2.3.1</code> (for Java 6), <code>2.12.2</code> (for 
Java 7), or <code>2.15.0</code> (for Java 8 and later).</p>
 </div>
 </div>
 </div>
@@ -746,6 +749,9 @@ Log4j 1 configurations without <code>JMSAppender</code> are 
not impacted by this
 <li>
 <p><a 
href="https://issues.apache.org/jira/browse/LOG4J2-3201";>LOG4J2-3201</a></p>
 </li>
+<li>
+<p><a 
href="https://issues.apache.org/jira/browse/LOG4J2-3242";>LOG4J2-3242</a></p>
+</li>
 </ul>
 </div>
 </div>
@@ -772,11 +778,11 @@ Log4j 1 configurations without <code>JMSAppender</code> 
are not impacted by this
 </tr>
 <tr>
 <th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
affected</p></th>
-<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>[2.0-beta1, 2.12.3) ∪ [2.13.1, 2.13.2)</code></p></td>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>[2.0-beta1, 2.3.2) ∪ [2.4, 2.12.3) ∪ [2.13.0, 
2.13.2)</code></p></td>
 </tr>
 <tr>
 <th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.12.3</code> (Java 7) and <code>2.13.2</code> (Java 8 
and later)</p></td>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.3.2</code> (for Java 6), <code>2.12.3</code> (for 
Java 7) and <code>2.13.2</code> (for Java 8 and later)</p></td>
 </tr>
 </tbody>
 </table>
@@ -797,7 +803,7 @@ Usages of <code>SslConfiguration</code> that are configured 
via system propertie
 <div class="sect3">
 <h4 id="CVE-2020-9488-mitigation">Mitigation</h4>
 <div class="paragraph">
-<p>Upgrade to <code>2.12.3</code> (Java 7) or <code>2.13.2</code> (Java 8 and 
later).</p>
+<p>Upgrade to <code>2.3.2</code> (Java 6), <code>2.12.3</code> (Java 7) or 
<code>2.13.2</code> (Java 8 and later).</p>
 </div>
 <div class="paragraph">
 <p>Alternatively, users can set the 
<code>mail.smtp.ssl.checkserveridentity</code> system property to 
<code>true</code> to enable SMTPS hostname verification for all SMTPS mail 
sessions.</p>
@@ -849,7 +855,7 @@ Usages of <code>SslConfiguration</code> that are configured 
via system propertie
 </tr>
 <tr>
 <th class="tableblock halign-left valign-top"><p class="tableblock">Versions 
fixed</p></th>
-<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.8.2</code> (Java 7)</p></td>
+<td class="tableblock halign-left valign-top"><p 
class="tableblock"><code>2.8.2</code> (for Java 7 and later)</p></td>
 </tr>
 </tbody>
 </table>

Reply via email to