Source: apache-log4j2 Version: 2.11.2-1 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/LOG4J2-2819
Hi, The following vulnerability was published for apache-log4j2. CVE-2020-9488[0]: | Improper validation of certificate with host mismatch in Apache Log4j | SMTP appender. This could allow an SMTPS connection to be intercepted | by a man-in-the-middle attack which could leak any log messages sent | through that appender. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-9488 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488 [1] https://issues.apache.org/jira/browse/LOG4J2-2819 [2] https://www.openwall.com/lists/oss-security/2020/04/25/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
