Your message dated Wed, 29 Dec 2021 11:33:31 +0000 with message-id <e1n2xd1-0000lq...@fasolo.debian.org> and subject line Bug#1002813: fixed in apache-log4j2 2.17.1-1 has caused the Debian Bug report #1002813, regarding apache-log4j2: CVE-2021-44832: remote code execution via JDBC Appender to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1002813: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002813 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-log4j2 Version: 2.17.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3293 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.17.0-1~deb11u1 Control: found -1 2.17.0-1~deb10u1 Control: found -1 2.12.3-0+deb9u1 Hi, The following vulnerability was published for apache-log4j2, which is fixed in 2.17.1 and the security releases 2.12.4 and 2.3.2. CVE-2021-44832[0]: | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security | fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code | execution (RCE) attack where an attacker with permission to modify the | logging configuration file can construct a malicious configuration | using a JDBC Appender with a data source referencing a JNDI URI which | can execute remote code. This issue is fixed by limiting JNDI data | source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, | and 2.3.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-44832 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 [1] https://issues.apache.org/jira/browse/LOG4J2-3293 [2] https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apache-log4j2 Source-Version: 2.17.1-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of apache-log4j2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1002...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-log4j2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 29 Dec 2021 11:44:21 +0100 Source: apache-log4j2 Architecture: source Version: 2.17.1-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1002813 Changes: apache-log4j2 (2.17.1-1) unstable; urgency=high . * Team upload. * New upstream version 2.17.1. - Fix CVE-2021-44832: Apache Log4j2 is vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol. Thanks to Salvatore Bonaccorso for the report. (Closes: #1002813) Checksums-Sha1: f813d89a019d3d44d85af95584936d8925b96aa4 3019 apache-log4j2_2.17.1-1.dsc e1c06710e675182f651e8ce0784baacf806ecb55 1291432 apache-log4j2_2.17.1.orig.tar.xz bb35850181b0860bd2903f7062e0e4d9ea8a9d1d 7664 apache-log4j2_2.17.1-1.debian.tar.xz fa6483acc9587e0d02a49557ee9f1063c8ef84bb 14846 apache-log4j2_2.17.1-1_amd64.buildinfo Checksums-Sha256: b9a277fc77c1f885dfd1245f5ffb39dd134cc7ddc3683f9ed74f8b1ab5c5c1e9 3019 apache-log4j2_2.17.1-1.dsc c7139fdcad10a8470da5c3f8d818c3eefe63c88e21518c27e558048ed3b90b15 1291432 apache-log4j2_2.17.1.orig.tar.xz 118439225ec8cf5a5c63b0b59ef7311026be74a9c012d698e907cf5b3f4188fe 7664 apache-log4j2_2.17.1-1.debian.tar.xz 348c147376f252582e75db839c112a4f11e8abb9381cc1bc43ba2f8cdb64cbbe 14846 apache-log4j2_2.17.1-1_amd64.buildinfo Files: d702a1fb3bf2a5cf2e6cd93f7ffc672f 3019 java optional apache-log4j2_2.17.1-1.dsc 6699f6c7aff5a7bb0ae6be954e0ee863 1291432 java optional apache-log4j2_2.17.1.orig.tar.xz abb8db63adfe302f10fb62aae463d66f 7664 java optional apache-log4j2_2.17.1-1.debian.tar.xz 09800483666d7f9218b8493683d3f058 14846 java optional apache-log4j2_2.17.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmHMQ9BfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkF6IQAJBsiEevHMm9QPYQLWlehP+o56YHux+j39Tt +Fc1XCC0OQaovFS5FV71hauDTj6DR/kdQ1DdRvkh4aWFGjQCANfUfqU1LO4bI3s7 +WwfcFxxoEoQND2pBLwwOKVss43sfSnab+Iyb20GfauxWhw9IEgff/mlGIU8wixJ NhNgw5xVeVT9qoOYI5yRPE8FhPCoqxYED+Fuforg3uKAzhh1FaXIIE7ss5+n0rnM CNu+vNYl+CvVpE3xfwDTVxudwTRn0qhUxlvNKzawQanWKCuYmdrihnjiywZFT9tO xgE9V337X1iVPSn3ZEck6EQG4VZswS6zDtEk90RVysuuZK0wEGNDX+7/h7PbHPmo iLNlud8qG+Fc1aDAbLiFVdHidlpdStoHiIF1ID15z2JcnW7+z2WKybRJ1kwbvaOB WP4OiuqeOEhjLNTyDIvWdu+xC25/BW/jGFHEP1Piw1V8daJ+PEqVSuP+J252eQ6q anfDZcq4FCsXbkEe5bdy1Aow13E+iXocQSRhHMH6WsEJWbIy8EC3mocBkZ3M+iuu 4hPvsjDOCc/zdplpCYDIk4vNlcmweOPeGmVVt73YiYQdatRNn0vGIQNJpnQkDT2+ 3ETAZLXSvHoGhKtOtSUADeZD8/XfRviwBdJb4HHVcCu7y/sKMnBLxZ9/ml8qLO2W N2DgtyZQ =pzaA -----END PGP SIGNATURE-----
--- End Message ---
