Your message dated Fri, 24 Dec 2021 13:47:23 +0000 with message-id <e1n0kup-0001re...@fasolo.debian.org> and subject line Bug#1001729: fixed in apache-log4j2 2.16.0-1~deb10u1 has caused the Debian Bug report #1001729, regarding apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1001729: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001729 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-log4j2 Version: 2.15.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3221 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.15.0-1~deb11u1 Control: found -1 2.15.0-1~deb10u1 Hi, The following vulnerability was published for apache-log4j2. Strictly speaking it's less severe as CVE-2021-44228 as it is an incomplete fix for the former CVE in certain non-default configurations. CVE-2021-45046[0]: | It was found that the fix to address CVE-2021-44228 in Apache Log4j | 2.15.0 was incomplete in certain non-default configurations. This | could allows attackers with control over Thread Context Map (MDC) | input data when the logging configuration uses a non-default Pattern | Layout with either a Context Lookup (for example, $${ctx:loginId}) or | a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious | input data using a JNDI Lookup pattern resulting in a denial of | service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to | localhost by default. Note that previous mitigations involving | configuration such as to set the system property | `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific | vulnerability. Log4j 2.16.0 fixes this issue by removing support for | message lookup patterns and disabling JNDI functionality by default. | This issue can be mitigated in prior releases (<2.16.0) by removing | the JndiLookup class from the classpath (example: zip -q -d | log4j-core-*.jar | org/apache/logging/log4j/core/lookup/JndiLookup.class). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-45046 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 [1] https://issues.apache.org/jira/browse/LOG4J2-3221 [2] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046 [3] https://www.openwall.com/lists/oss-security/2021/12/14/4 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apache-log4j2 Source-Version: 2.16.0-1~deb10u1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of apache-log4j2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1001...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-log4j2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 16 Dec 2021 00:48:17 +0100 Source: apache-log4j2 Architecture: source Version: 2.16.0-1~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1001729 Changes: apache-log4j2 (2.16.0-1~deb10u1) buster-security; urgency=high . * Team upload. * Backport version 2.16.0 to Buster and fix CVE-2021-45046. (Closes: #1001729) Checksums-Sha1: 4bdfd09aa76166f624fda3bf94ee32d204798768 3051 apache-log4j2_2.16.0-1~deb10u1.dsc 28fdc2b699335f5787bff216e72004fb2ec35d19 7516 apache-log4j2_2.16.0-1~deb10u1.debian.tar.xz 014c9280093507b08baf2410d3b9b522ef1000f5 9100 apache-log4j2_2.16.0-1~deb10u1_source.buildinfo Checksums-Sha256: 2aadc35e01c6239826b607d58d8806235cd0bd37d2149c67e393da2edc19b91c 3051 apache-log4j2_2.16.0-1~deb10u1.dsc a8f6da67413c4f255948882663aa3867c7ac362c4c3431cabdbfecab9b71ba48 7516 apache-log4j2_2.16.0-1~deb10u1.debian.tar.xz b119728ed154185a400de58509dfcd2e9a76db8f56dd174ce456bcb516a68eb9 9100 apache-log4j2_2.16.0-1~deb10u1_source.buildinfo Files: a863f368852d69056157ec174ae23e56 3051 java optional apache-log4j2_2.16.0-1~deb10u1.dsc 8e99cec6656627f6a4a469a7efcc0ea0 7516 java optional apache-log4j2_2.16.0-1~deb10u1.debian.tar.xz 9e7d53715be5885e512e80e541e38782 9100 java optional apache-log4j2_2.16.0-1~deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG6mHFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkIy4P/iw5DIgxP1TjID0LkgaLs3KtjKRGqHdHe7l1 6lycAP+I8BB/leU7t7kghNiPprNWm/3HpzDSpPtcPhZaavF6rpSAR/PwbLMfj4aX Ijvs8EaFj/4fI+xluSD9ou9XwbeijALN9yzdXf4bYD+NU894fYmZGAVMhrOaWtpw CeN5jHty09YUOqXIdc4AWamHloov9rzVy8IAZsxgSEKagRW1IJmxHZtZ2JVAv1Oo WNvOphE1U/2XzDACQRMwxVqbKyN8QENRezP9MUSxkr2sFT++xWzAhi4Erk8Z8GJ9 z6C/zBVTYvella6AtHX2t6OeLAouMQyual/frC09wrh7z2tIcRycH8ylFyJjud+w DLjbjgP82nxtY2JQRdYm2v/txGAqD1fPnle0GpiuBx9xUtgmaZ9Wg0GVBB1232SO 5jJIQ6nJBiGoChZaFhZqcPBn+a2jEsy+pjU5Rp5AyM6zR4AH7WrSuc6YZtjrA20d surjMGOqT8DW3nWgpED5mB9w6knr7mT/fPQZ/qRJXg8RNLjfuP1A+k1Wz7MI+Zhl iAuXUYS0CIwM0xULCcY2p0wwqqT8ohlRLffEQ5mp3kq+/Dp/ed75lE1+lQ6Vdmng JxhIiUx+rL+CP3KpytIorSXsMz55ydCuZxMhU0sq1Ohn8pcRWyru425xH6nv1Kgc xFQwwoA0 =xbSA -----END PGP SIGNATURE-----
--- End Message ---
