Your message dated Mon, 31 Jan 2022 11:04:12 +0000 with message-id <e1neutk-0003y9...@fasolo.debian.org> and subject line Bug#1004482: fixed in apache-log4j1.2 1.2.17-11 has caused the Debian Bug report #1004482, regarding liblog4j1.2-java: CVE-2022-23307 CVE-2022-23305 CVE-2022-23302 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1004482: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004482 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: liblog4j1.2-java Version: 1.2.17-10 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Hey. A number of holes was found in the 1.2 branch of log4j. The following is apparently critical (code injection): https://www.cvedetails.com/cve/CVE-2022-23307/ https://www.cvedetails.com/cve/CVE-2022-23305/ https://www.cvedetails.com/cve/CVE-2022-23302/ AFAIU there is no support anymore form these from upstream, and seems: https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh there are no plans to fix it. EGI recommends: "For services where chainsaw is installed but not used apply the mitigation zip -q -d /usr/share/cassandra/lib/log4j*.jar org/apache/log4j/chainsaw/*" Not sure if that could be done for the Debian package in a new version? Is Debian going to do anything about these? Thanks, Chris. -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.0-3-amd64 (SMP w/4 CPU threads) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: apache-log4j1.2 Source-Version: 1.2.17-11 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of apache-log4j1.2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1004...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-log4j1.2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 31 Jan 2022 11:40:47 +0100 Source: apache-log4j1.2 Architecture: source Version: 1.2.17-11 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1004482 Changes: apache-log4j1.2 (1.2.17-11) unstable; urgency=high . * Team upload. * Fix CVE-2021-4104, CVE-2022-23305, CVE-2022-23302 and CVE-2022-23307. (Closes: #1004482) * Declare compliance with Debian Policy 4.6.0. Checksums-Sha1: a932cd763831fceea45d3123c0dcfdcad459eb3b 2463 apache-log4j1.2_1.2.17-11.dsc c759ed7b4a1217502052ab18fa6825ce22448f48 17828 apache-log4j1.2_1.2.17-11.debian.tar.xz 882d57c7201dd347119f9bcc52cc99c2f6667964 9527 apache-log4j1.2_1.2.17-11_amd64.buildinfo Checksums-Sha256: b9dd87a7975cabb390257479f9a39c0475c3aa1cf365f79c0d688398d3eaafe3 2463 apache-log4j1.2_1.2.17-11.dsc f5bff4dc4c679df5a477af0e265578095ab20e0f5a07ca83ddfddb697912d4a7 17828 apache-log4j1.2_1.2.17-11.debian.tar.xz e0f2eabe66fa89607a070262401c9bc0fbe454d661a8d9f09b90e0e233a13932 9527 apache-log4j1.2_1.2.17-11_amd64.buildinfo Files: 2ada84b6ae8a54586cae42a23b93db95 2463 java optional apache-log4j1.2_1.2.17-11.dsc 38f43702a93d5d0630012bf2338d54d1 17828 java optional apache-log4j1.2_1.2.17-11.debian.tar.xz 82c1c22203c03ff3b580babb5253326f 9527 java optional apache-log4j1.2_1.2.17-11_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmH3vu5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkZtwQAJJKh4bCcRHJ8QfWN9QdpdkR6d6BLG1zbrFp 4E+upm/eT6CrJOOWwEXYh3pfqbG1Vm0LQzxh0pYZSabLqFtrhVTliMNC6WLOvZPM srVeU71ggy4UFoLXrxST1OOZJCvw9yHvsvGH/FNBm2mgNN7H0HV/dd3vuJMlqlxP Sju4KuAqv5aJcG7VCc6wcJ1CGId2ySdT1HENrZmatHdpgkKYIi0dyPJhyh6QhMH/ utjdvjc7G+lt67QV4X3KxDyCBqWmui5DW3b2cbognFx+HTVYB9W1BhsDR2IKP4+P C2nYnTGkbJuwx0+P0p/i9YsGhfm4XF1CgEvl+ZKwluC5VBc0rKZe38WAPDY6TGeI v3OlAMZayPrHKNEY2L8jCLmmrFnQj5q+LSGpg2/b25aN7KWCTHUlb+fZEvlm9QTR aP71VXVM7LURdmUMPdiFaJq1lLjL/Q2M+iRC0UNa2MzLoSmnZc2l7eXr/gc294PW MXFrcPlcHtEChVT3suPn7eF1gGH+1WMBedyBxMLaqVt/xlIMap86DVQUxv/14L5t w4n/bvug1wULhTUa/YWfv29uZ1DWB74Z33lC6Wxz/72fdwAPL8vtkVdd+lPaYwxI afNa1DBPk9e5byinfQy86LfXmNLDM/qTQgK3yPqHcmEPM7tShlryQ2zV9v9785m+ 0eoKyTdr =dEzU -----END PGP SIGNATURE-----
--- End Message ---
