Bug#947124: marked as done (apache-log4j1.2: CVE-2019-17571)

[Debian Bug Tracking System]

Your message dated Sat, 16 May 2020 20:21:38 +0000
with message-id <e1ja3js-0000qs...@fasolo.debian.org>
and subject line Bug#947124: fixed in apache-log4j1.2 1.2.17-8+deb10u1
has caused the Debian Bug report #947124,
regarding apache-log4j1.2: CVE-2019-17571
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
947124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947124
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: apache-log4j1.2
Version: 1.2.17-8
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 1.2.17-7
Control: found -1 1.2.17-5

Hi,

The following vulnerability was published for apache-log4j1.2.

CVE-2019-17571[0]:
| Included in Log4j 1.2 is a SocketServer class that is vulnerable to
| deserialization of untrusted data which can be exploited to remotely
| execute arbitrary code when combined with a deserialization gadget
| when listening to untrusted network traffic for log data. This affects
| Log4j versions up to 1.2 up to 1.2.17.

Note that this issue correponds to the old CVE-2017-5645 for the 2.x
branch codebasis[1].

1.2 reached end of life in 2015 accordingly, and the "right move"
would be to switch to 2.x. Which raises a question from security
support point of view: We would need to fade out apache-log4j1.2 for
bullseye at least now right? From a quick check via a simulated dak
rm, it looks right now impossible to actually remove it. Are there
current plans from the Debian Java Maintainers for that? Or is there
something I currently just miss from the big picture?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-17571
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
[1] https://www.openwall.com/lists/oss-security/2019/12/19/2

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: apache-log4j1.2
Source-Version: 1.2.17-8+deb10u1
Done: Markus Koschany <a...@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache-log4j1.2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 947...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated apache-log4j1.2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 May 2020 16:46:05 +0200
Source: apache-log4j1.2
Binary: liblog4j1.2-java liblog4j1.2-java-doc
Architecture: source all
Version: 1.2.17-8+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 liblog4j1.2-java - Logging library for java
 liblog4j1.2-java-doc - Documentation for liblog4j1.2-java
Closes: 947124
Changes:
 apache-log4j1.2 (1.2.17-8+deb10u1) buster-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2019-17571. (Closes: #947124)
     Included in Log4j 1.2 is a SocketServer class that is vulnerable to
     deserialization of untrusted data which can be exploited to remotely
     execute arbitrary code when combined with a deserialization gadget when
     listening to untrusted network traffic for log data.
Checksums-Sha1:
 370f4757ed517251293211fea7ed4bf9f59ea151 2497 
apache-log4j1.2_1.2.17-8+deb10u1.dsc
 2cba16006cb6f16dfb0eb83dab94af179ddad5f5 9908 
apache-log4j1.2_1.2.17-8+deb10u1.debian.tar.xz
 691ab57d543d668222d1ca27b854b4d4eef3f3b1 9034 
apache-log4j1.2_1.2.17-8+deb10u1_amd64.buildinfo
 b018f098d8f3ed52d54aecd485872b6601484099 498624 
liblog4j1.2-java-doc_1.2.17-8+deb10u1_all.deb
 a24ff7740874d0daf3b47e6db9098afaf98d0f37 437744 
liblog4j1.2-java_1.2.17-8+deb10u1_all.deb
Checksums-Sha256:
 bb6b440f13bbbfbdf98df055acc4a5742a52b5b532e0b3503c0783c53092007e 2497 
apache-log4j1.2_1.2.17-8+deb10u1.dsc
 6d8ae488afab3ee374fa6f2eb4048a6790284184e14d430011e5a3cd200727fe 9908 
apache-log4j1.2_1.2.17-8+deb10u1.debian.tar.xz
 486d4df7ecdb3ea0530560803667f948a1b532cb2049dd6f8a48929653e0331b 9034 
apache-log4j1.2_1.2.17-8+deb10u1_amd64.buildinfo
 e91d215b9be4ff75a353d5e62156b2fa40dc6d1a60e781740de38f4e1046c99a 498624 
liblog4j1.2-java-doc_1.2.17-8+deb10u1_all.deb
 24c66265ada8f249eaeb81da599e121cb03648d341c7b9bd0895e49bed1137e7 437744 
liblog4j1.2-java_1.2.17-8+deb10u1_all.deb
Files:
 f69ea6df5cc7a3598e47d0a12c29970e 2497 java optional 
apache-log4j1.2_1.2.17-8+deb10u1.dsc
 9758d7b41669e649b8350931e7ca0cc2 9908 java optional 
apache-log4j1.2_1.2.17-8+deb10u1.debian.tar.xz
 c87b15c16ac5976454e3204221fbe9b4 9034 java optional 
apache-log4j1.2_1.2.17-8+deb10u1_amd64.buildinfo
 c3a2510b76553817f6801930baf959f1 498624 doc optional 
liblog4j1.2-java-doc_1.2.17-8+deb10u1_all.deb
 4fb9fef3597cd24e5c6eafcae6e594c8 437744 java optional 
liblog4j1.2-java_1.2.17-8+deb10u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl63D7JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk2akP/ir/gp8308LYK92Gm+PeE89rA6eFqPcUn/Fo
Wj0nElkOns3b5JZSIU/t3NQn+ZifdLc8FAJ27LOdt0y7Aszv8vrCh4/Eaoptn4ei
GGmX0fgAtRPgzHciI6OywFFnOlF20rxX9KHGno7dIZdBP4wWvvWW7Jhg+5wj9Ja2
g/13Jf60upRYzkJGZIVy8/7sn3thUvAAM+Z1Vup/kr2kYx5uGj789+HCH67+BlNH
XdVWq90B4ALPZ8jEcZd0zc7GYmwosfWZMEQJlM6RPirFAm62pYS7St9sWoMdi/E4
8KVISr3K1O5f+qJMGzjIfsyhDiLhoFcgNKlmaQYYthhIinHmOyGZsipoLbgu+AoQ
rZ0ViFCyQ9OS/ZZPLuDq8tLAu75+rdzVZ4RVkolwmd8zwBzb44F6XOMNqKOxswVo
l2RmcCbUolQocXkZBd2K6/8zZh9Gullpnu+qCc7ntvc0B2k34pPRsSMfgZCueeXq
tLgg1e4QZR3NtSgZ1pM/UKlBT1UiIoeu2QrEII0lYNjHeNcDrx8WcW3zzJOXkOdk
w5m50XBLMoYNYXSkRpbPXGbPUnIwRfyhdzFCgND2ZBlZhiLksvpsTAFhoDTFa5/k
wHRtlGEOAyUnRhPYR1x3k6O9+LwXqqMhPLt+AVnGq1tHzQ0PD05JeCLd+izj4Dfi
CYYDhbUV
=Rf1q
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
debian-j...@lists.debian.org for discussions and questions.