Your message dated Thu, 16 Dec 2021 22:32:07 +0000 with message-id <e1mxzif-0002vz...@fasolo.debian.org> and subject line Bug#1001729: fixed in apache-log4j2 2.16.0-1~deb11u1 has caused the Debian Bug report #1001729, regarding apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1001729: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001729 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-log4j2 Version: 2.15.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3221 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.15.0-1~deb11u1 Control: found -1 2.15.0-1~deb10u1 Hi, The following vulnerability was published for apache-log4j2. Strictly speaking it's less severe as CVE-2021-44228 as it is an incomplete fix for the former CVE in certain non-default configurations. CVE-2021-45046[0]: | It was found that the fix to address CVE-2021-44228 in Apache Log4j | 2.15.0 was incomplete in certain non-default configurations. This | could allows attackers with control over Thread Context Map (MDC) | input data when the logging configuration uses a non-default Pattern | Layout with either a Context Lookup (for example, $${ctx:loginId}) or | a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious | input data using a JNDI Lookup pattern resulting in a denial of | service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to | localhost by default. Note that previous mitigations involving | configuration such as to set the system property | `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific | vulnerability. Log4j 2.16.0 fixes this issue by removing support for | message lookup patterns and disabling JNDI functionality by default. | This issue can be mitigated in prior releases (<2.16.0) by removing | the JndiLookup class from the classpath (example: zip -q -d | log4j-core-*.jar | org/apache/logging/log4j/core/lookup/JndiLookup.class). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-45046 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 [1] https://issues.apache.org/jira/browse/LOG4J2-3221 [2] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046 [3] https://www.openwall.com/lists/oss-security/2021/12/14/4 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apache-log4j2 Source-Version: 2.16.0-1~deb11u1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of apache-log4j2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1001...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-log4j2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 16 Dec 2021 00:48:17 +0100 Source: apache-log4j2 Architecture: source Version: 2.16.0-1~deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1001729 Changes: apache-log4j2 (2.16.0-1~deb11u1) bullseye-security; urgency=high . * Team upload. * Backport version 2.16.0 to Bullseye and fix CVE-2021-45046. (Closes: #1001729) Checksums-Sha1: 26cba39fd38c8586a43d22d10370f45868f8c4d2 3051 apache-log4j2_2.16.0-1~deb11u1.dsc 29ed458aa60e1821908564fd66438c6e9206e282 1285464 apache-log4j2_2.16.0.orig.tar.xz 6559785b1402c6431a1d236a1edb4d03ea141c55 7472 apache-log4j2_2.16.0-1~deb11u1.debian.tar.xz f609cb71c1417eaa8f3c1fc86ac82c63c9d3d511 9100 apache-log4j2_2.16.0-1~deb11u1_source.buildinfo Checksums-Sha256: 70b8dbfb9721dd2fb212f1dd080e331152e5154c6b6a78451504fe42d1935be3 3051 apache-log4j2_2.16.0-1~deb11u1.dsc d36a7556e7027819aaceef02838dcfaa3dd368f74f92b9585b2b6a442eb2194f 1285464 apache-log4j2_2.16.0.orig.tar.xz b7e186164c15d5dbe53b5e487f055e463a6489015c9ef5cc5c6d373f13e13ad1 7472 apache-log4j2_2.16.0-1~deb11u1.debian.tar.xz 7f9c56b3096b6bc39c0a2c7e5b08c055b50d871590f5d72206088ca6bffb6c4e 9100 apache-log4j2_2.16.0-1~deb11u1_source.buildinfo Files: 0d55b5d8c1184c5c16b0d53b3c175e94 3051 java optional apache-log4j2_2.16.0-1~deb11u1.dsc d7a5e122b9ff61c6272c62347b25986b 1285464 java optional apache-log4j2_2.16.0.orig.tar.xz 14b2ec1111a80c422ae32fccfa5da678 7472 java optional apache-log4j2_2.16.0-1~deb11u1.debian.tar.xz 8757c7b5c8e55bd40411d5c7ba1827b3 9100 java optional apache-log4j2_2.16.0-1~deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG6ilVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkV8sQAMoMbBNXk6YrQVuu3iURMMuvqbinwZFwnQoY hhckyHjVggR2wokozc/JjSHPgrtRjUjLDktNWC7wFwilOy8R8jAOTNUaSzMv1lwq uRhtVEn0qhYQpJLElv1lpDz9ANwEb5sLWJvFbCdDdH8qyK708VD1uH3fnadeYA7Y LLU7/+vuViSO6Qh/O806OECkeXjN4DEw7CqjrFzAYL9oGZPkv3BDp5tUyfBaIbxw O4BeZhbwk8aO9BQDbjec4YisiIGJn3EEZYjr+6s3ygT3hwrBpUT66Dpa0lmsulOQ PhVpZATuh1dgidyJWY4RLM1hmh3WBmMqUjGdkZj+9Vd5VWG5jdlDBfX7NgBvn2qV iWvRefNsn4Pi3PYGcF1xKbJlgNWneFgFlOTqkfZiR83NzHrn8PlzkmKXl7oFyh6e +gCNd/skrPLTrLVEggJKEUji0ZW1Ux3LS/ANQtSprKSBBx8yuI5rpEV9YKEQVfqw 2FjU9gwmVxvAA6LYujT25iiljB1Gmnw4pR3+VK/DNBaQNZPdWzFN36qNLsgvfUwV KW1YLkyW+6VNNCNYN7ALoHHVmakUJgatI79G4eXzdqGl9w4EJP8q+lmoK69O9Umi dd0Btr64edK52BljkVS2zU+/Dy1x4w3IEaO48/rY94MmjnpepduR1E0XKs09D/T/ a6NJBEOi =zboG -----END PGP SIGNATURE-----
--- End Message ---
