Your message dated Sat, 18 Dec 2021 18:18:44 +0000 with message-id <e1myei8-000eyq...@fasolo.debian.org> and subject line Bug#1001891: fixed in apache-log4j2 2.17.0-1 has caused the Debian Bug report #1001891, regarding apache-log4j2: CVE-2021-45105: Certain strings can cause infinite recursion to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1001891: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001891 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-log4j2 Version: 2.16.0-1 Severity: grave Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3230 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.16.0-1~deb11u1 Control: found -1 2.16.0-1~deb10u1 Hi, The following vulnerability was published for apache-log4j2, again less stronger impact. CVE-2021-45105[0]: | Certain strings can cause infinite recursion If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-45105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105 [1] https://issues.apache.org/jira/browse/LOG4J2-3230 [2] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apache-log4j2 Source-Version: 2.17.0-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of apache-log4j2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1001...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-log4j2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 18 Dec 2021 17:09:22 +0100 Source: apache-log4j2 Architecture: source Version: 2.17.0-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1001891 Changes: apache-log4j2 (2.17.0-1) unstable; urgency=high . * Team upload. * New upstream version 2.17.0. - Fix CVE-2021-45105: Apache Log4j2 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a denial of service. (Closes: #1001891) Thanks to Salvatore Bonaccorso for the report. Checksums-Sha1: 0d171b8f17b5283c1256f1057434ec549c48f180 3019 apache-log4j2_2.17.0-1.dsc 24838ff3852d4043c5337b090c501698360eef85 1287192 apache-log4j2_2.17.0.orig.tar.xz 1be40de7bb76e481450500ac0e0cecae49d6f5c7 7512 apache-log4j2_2.17.0-1.debian.tar.xz b328759a2b88bf9b61cca1d9653a4266efccf5b5 14605 apache-log4j2_2.17.0-1_amd64.buildinfo Checksums-Sha256: 44e3a04ac63579338c8e9b5c59850898e76a307bcf8271303447afa62c197f81 3019 apache-log4j2_2.17.0-1.dsc 7c9a8976f9672bf7cc31ded21b2dddc5f6a3cee4621e53dfe5aab65ef82eae24 1287192 apache-log4j2_2.17.0.orig.tar.xz 54b041799a600845d65c97ecf35e41c4129b5dbfee68f9cd96b1b1d60b49e615 7512 apache-log4j2_2.17.0-1.debian.tar.xz 1667ee35ec38a88d8f061b75f90310c2c30f3508d807fd4049c0b2c3371ba69b 14605 apache-log4j2_2.17.0-1_amd64.buildinfo Files: 6d558abdcd0854507226750b2f16efa4 3019 java optional apache-log4j2_2.17.0-1.dsc 61eb8d0690bb3f95ec55ec6eeb0c27ad 1287192 java optional apache-log4j2_2.17.0.orig.tar.xz 05b20bec8c21bb309cfb96cf062649d5 7512 java optional apache-log4j2_2.17.0-1.debian.tar.xz b5c3c482cc77bd84bf57fcb14b8b063c 14605 java optional apache-log4j2_2.17.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG+IBRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkyoMP/1VnBa1nsnwiKM4datS0eeVuo9+vaBp9rDI+ YjwCB9FH78d6vD6OgS3pnb8yRhOR1Q57BX4qRx3D4r8M3Cqy5ouQLhuCXWMnFwAh aDm+Wd+eOp3kWFr7HGjLXmaAAf4F3Jx6NULCO/DIVS4dYgX910vlh1Y540/uVAPS 1Kr+H6yyTwOFhOh37IOcCiFEt4QTPv4wxNxIeKVq3DqWAwVUnH2KNEAzOw2AoeQE 7oiyFKXwEDdYVLLSTpcMUpRdEU7kSKOf/kku6I1N8B2SWSns8B0sKPST9uT26aUV KZ5XyWm/uazAAEcmt1ngsqBbBEuBKUOFCdPg206DmgSEpg2WtlZyDDw1HfCkGn3u nqvqRe0kHogZ745tr4WebiHQAtABS7icaDMgXGrmFxfPOorRhFBjmAorx5fOi666 i7eoN+pdsJx3WV0znRMK4hlD7F7e5mCCxlguyxqQT6EMMu2WIe5257GrCQ3BOmyy mbTnhbgJqDwru+Zwkw+98DrF1bYfMb1xvEf/j5f/XZCsR7BXROFozTL7yHc5G+wO 8C1KRlqs9Zq62A+P/DtVa2OItc5WcL5AKud24gOzd8aV9acYHDpVLanWWt+GoBV+ iSgsTJJ3IXPSOl9YYqNHF0fbdSUO+uVpWLNB3gEEAqlJyZ6b3THb+rgVadNYReTp LcS0i7sz =5t+i -----END PGP SIGNATURE-----
--- End Message ---
