Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org
Hi, I would like to fix CVE-2021-44832 in Buster. Apache Log4j2 has been affected by some serious remote code execution vulnerabilities in the past months. The most severe ones have been already addressed in buster-security with version 2.17.0-1~deb10u1. CVE-2021-44832 is less severe thus the security team decided to mark this issue as no-dsa. I have prepared a backport of the current Log4j2 version in testing which again is a new upstream release instead of a targeted fix. I am confident this one works as well as the other upgrades before and I recommend to use it in oldstable from now on. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Markus
apache-log4j2_buster.debdiff.gz
Description: application/gzip
