apache-log4j1.2 (1.2.17-8+deb10u2) buster; urgency=medium * Team upload. * Fix CVE-2021-4104, CVE-2022-23302, CVE-2022-23305 and CVE-2022-23307. Multiple security vulnerabilities have been discovered in Apache Log4j 1.2 when it is configured to use JMSSink, JDBCAppender and JMSAppender or Apache Chainsaw. Note that a possible attacker requires write access to the Log4j configuration and the aforementioned features are not enabled by default. In order to completely mitigate against these vulnerabilities the related classes have been removed from the resulting jar file. -- Markus Koschany Sat, 12 Feb 2022 10:40:19 +0100 apache-log4j1.2 (1.2.17-8+deb10u1) buster-security; urgency=high * Team upload. * Fix CVE-2019-17571. (Closes: #947124) Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. -- Markus Koschany Sat, 02 May 2020 16:46:05 +0200 apache-log4j1.2 (1.2.17-8) unstable; urgency=medium * No longer attempt to install the javadoc jar (Closes: #879251) * Relocated the log4j:log4j:debian artifact to log4j:log4j:1.2.x * Build with the DH sequencer instead of CDBS * Fixed a typo in the doc-base title * Moved the package to Git * Standards-Version updated to 4.1.1 * Switch to debhelper level 10 * Refreshed debian/copyright -- Emmanuel Bourg Sun, 22 Oct 2017 00:55:53 +0200 apache-log4j1.2 (1.2.17-7) unstable; urgency=medium * Team upload. * Transition to bnd 2.1.0. * Vcs-Browser: Use https. -- Markus Koschany Tue, 17 Nov 2015 18:22:37 +0100 apache-log4j1.2 (1.2.17-6) unstable; urgency=medium * Team upload. * Add missing .class files to .jar (Closes: #791446) -- Hilko Bengen Tue, 07 Jul 2015 00:47:09 +0200 apache-log4j1.2 (1.2.17-5) unstable; urgency=medium * Team upload. [ Kumar Appaiah ] * debian/control: Remove Kumar Appaiah from uploaders [ Emmanuel Bourg ] * Depend on libmail-java instead of libgnumail-java * Standards-Version updated to 3.9.6 (no changes) * Switch to debhelper level 9 * debian/copyright: Updated to the Copyright Format 1.0 -- Emmanuel Bourg Tue, 30 Sep 2014 14:26:42 +0200 apache-log4j1.2 (1.2.17-4) unstable; urgency=low * Removed the dependency on libjboss-jmx-java since javax.management is now part of the JDK. * Enabled the compilation of the org.apache.log4j.jmx.Agent class * Added a description to build_fix.patch -- Emmanuel Bourg Tue, 27 Aug 2013 09:52:20 +0200 apache-log4j1.2 (1.2.17-3) unstable; urgency=low * Removed the dependency on the Activation Framework (libgnujaf-java) * debian/rules: Improved the clean target * Use canonical URLs for the Vcs-* fields -- Emmanuel Bourg Thu, 16 May 2013 14:46:43 +0200 apache-log4j1.2 (1.2.17-2) unstable; urgency=low * Team upload. * Upload to unstable. -- tony mancill Mon, 06 May 2013 20:43:34 -0700 apache-log4j1.2 (1.2.17-1) experimental; urgency=low * Team upload. * New upstream release * Refreshed the patch * debian/watch: Fixed the URL * Updated Standards-Version to 3.9.4 (no changes) [ Tony Mancill ] * Remove Michael Koch from Uploaders. (Closes: #653986) -- Emmanuel Bourg Tue, 02 Apr 2013 15:23:23 +0200 apache-log4j1.2 (1.2.16-3) unstable; urgency=low * Add Bundle-SymbolicName to jar manifest * Update Import-Package OSGi attribute * Add Jakub Adam to Uploaders * Updated Standards-Version to 3.9.2 * Removed Thomas Koch from Uploaders. Thanks for your contributions. -- Jakub Adam Sun, 27 Nov 2011 19:01:34 +0100 apache-log4j1.2 (1.2.16-2) unstable; urgency=low [ Ludovic Claude ] * Add myself to uploaders * Rename source package to apache-log4j1.2 (Closes: #598007) * d/maven.rules: use * instead of jar to match log4j, as version 1.2.16 has a pom type of 'bundle' and this means that the version installed in the Maven repository is 'debian' instead of '1.2.x' (Closes: #618263) * d/control: update Homepage to reflect the new location of log4j * include OSGi metadata in the jar, add Build-Depends on bnd * Add --has-package-version to libapache-log4j1.2-java.poms * Deploy javadoc jar into the Maven repository [ Niels Thykier ] * Updated Vcs-* fields. [ Torsten Werner ] * Remove Kalle from Uploaders list. * Do no longer build the liblog4j1.2-java-gcj package. * Fix typo in Description. -- Torsten Werner Fri, 23 Sep 2011 23:03:09 +0200 jakarta-log4j (1.2.16-1) experimental; urgency=low * New upstream release * debian/control: + Standards version is now 3.9.1 (No changes needed). + Recommends: liblog4j1.2-java-gcj downgraded to Suggests (Closes: #583260) + Add Suggests on liblog4j1.2-java-doc * Remove pom.xml.patch, changes applied upstream, refresh build.xml.patch -- Ludovic Claude Fri, 14 May 2010 00:11:30 +0200 jakarta-log4j (1.2.15-11) unstable; urgency=low * Team upload. * Move the patches to quilt, add a Build-Depends on quilt * JMX package is built and patch from Thomas Koch has been applied with changes (Closes: #503837) * Use default-jdk-doc instead of classpath-doc/openjdk-6-doc (Closes: #567275) * Remove dependencies on all java runtimes and java-common (Closes: #576737) * Source format 3.0 (quilt) - removed quilt as build dependency - removed include patchsys-quilt.mk in d/rules -- Ludovic Claude Mon, 05 Apr 2010 16:30:15 +0200 jakarta-log4j (1.2.15-10) unstable; urgency=low * Fixed Maven support (Closes: #571046) - d/m.ignoreRules: added JMX stuff - pom.xml patch : javax.jms and java.mail set as optional * Standards-Version to 3.8.4 * debhelper compat to 7 -- Gabriele Giacone <1o5g4r8o@gmail.com> Wed, 24 Feb 2010 02:33:46 +0100 jakarta-log4j (1.2.15-9) unstable; urgency=low * Added libjboss-jmx-java to suggests: -- Thomas Koch Thu, 14 Jan 2010 15:51:45 +0100 jakarta-log4j (1.2.15-8) unstable; urgency=low * Build with jmx support -- Thomas Koch Tue, 12 Jan 2010 11:02:21 +0100 jakarta-log4j (1.2.15-7) unstable; urgency=low * Upload to unstable -- Torsten Werner Sun, 09 Aug 2009 11:25:57 +0200 jakarta-log4j (1.2.15-6) experimental; urgency=low [ Ludovic Claude ] * Add the Maven POM to the package * Add a Build-Depends dependency on maven-repo-helper * Move API documentation to /usr/share/doc/liblog4j1.2-java/api [ Torsten Werner ] * Fix doc-base file. -- Torsten Werner Sun, 02 Aug 2009 21:51:13 +0200 jakarta-log4j (1.2.15-5) unstable; urgency=low * Add myself to Uploaders. * Do no longer quote the full text of the Apache-2.0 license. * Add missing Depends: ${misc:Depends}. * Change Section: java. * Update Standards-Version: 3.8.2 (no changes). * Fix spelling api -> API. -- Torsten Werner Thu, 30 Jul 2009 18:24:10 +0200 jakarta-log4j (1.2.15-4) unstable; urgency=low * liblog4j-java: Depend on default-jre-headless as the preferred runtime, keep the existing alternatives for now. -- Matthias Klose Mon, 04 Aug 2008 23:55:26 +0200 jakarta-log4j (1.2.15-3) unstable; urgency=medium * debian/control: + Use default-java-jdk in place of java-gcj-compat-dev. (Closes: #477866) + Switch to use Varun and Kumar's debian.org addresses. + Standards version is now 3.7.3 (No changes needed). + Use Vcs-Broswer and Vcs-Svn in place of XS-Vcs-*. * debian/rules: + Switch JAVA_HOME location to /usr/lib/jvm/default-java. * debian/copright: + Update to UTF-8, and add a copyright for the Apache Software Foundartion. -- Kumar Appaiah Sun, 27 Apr 2008 17:35:01 +0530 jakarta-log4j (1.2.15-2) unstable; urgency=low [ Matthias Klose ] * Really build the native jars, don't ship an empty package. Closes: #453941. -- Kumar Appaiah Sun, 02 Dec 2007 20:24:35 +0530 jakarta-log4j (1.2.15-1) unstable; urgency=low [ Kumar Appaiah ] * New upstream release. * debian/compat: bumped to 5. * debian/watch: Added file. * debian/control: + Added Kumar Appaiah and Varun Hiremath to Uploaders. + Moved all build dependencencies to Build-Depends. + Depend on cdbs. + Added Homepage, XS-Vcs-Svn and XS-Vcs-Browser fields. * debian/liblog4j1.2-java-doc.doc-base: Specigy API doc location. * debian/liblog4j1.2-java.links: Removed. Functionality in debian/rules. * debian/orig-tar.sh: Added to ease repackaging. * debian/README.Debian-source: Added to explain repackaging. * debian/patches/01_build_fix.patch: Fix javadoc issues and compiler target versions. * debian/rules: + Move to cdbs. + Ensure we build native jars. + Ensure the generated docs are removed to prevent an FTBFS on successive builds. [ Varun Hiremath ] * Ensure upstream javadocs are removed while repackaging. -- Varun Hiremath Fri, 28 Sep 2007 15:30:56 +0530 jakarta-log4j (1.2.13-5) unstable; urgency=low * Rename source package. Closes: #308339. * Updated Standard-Version to 3.7.2. -- Michael Koch Sun, 15 Jul 2007 15:35:02 +0200 jakarta-log4j1.2 (1.2.13-4) unstable; urgency=low * Build a liblog4j1.2-java-gcj package. Closes: #427243. * Updated package descriptions. * Removed Wolfgang and added myself to Uploaders. -- Michael Koch Sat, 30 Jun 2007 10:45:43 -0100 jakarta-log4j1.2 (1.2.13-3) unstable; urgency=low * Build using java-gcj-compat-dev (merged from Ubuntu). -- Matthias Klose Fri, 8 Dec 2006 10:45:35 +0100 jakarta-log4j1.2 (1.2.13-2) unstable; urgency=low * Added binary-arch build target (noop) (closes: #395615) -- Kalle Kivimaa Sat, 28 Oct 2006 08:30:00 +0300 jakarta-log4j1.2 (1.2.13-1) unstable; urgency=low * New upstream release * kaffe compiler transition * Remove build dependencies on libcrimson-java, libjaxp1.2-java (not needed) * Build javadoc from source * Updated README.Debian to what we actually build -- Wolfgang Baer Wed, 18 Jan 2006 17:33:47 +0100 jakarta-log4j1.2 (1.2.12-1) unstable; urgency=low * New upstream release (closes: #328253) + Apache License 2.0 - updated debian/copyright * Use kaffe for building instead of jikes alone Fixes the FTBS (closes: #334634) * Remove useless parts from README.Debian * Standards-Version 3.6.2 (no changes) * Don't depend on java-common * Remove outdated log4j 1.1 section from description * Register manual with doc-base * Add myself to uploaders -- Wolfgang Baer Fri, 28 Oct 2005 21:52:06 +0200 jakarta-log4j1.2 (1.2.9-1) unstable; urgency=low * New upstream version (differs from 1.2.8 only in that some methods are deprecated in preparation for 1.3) * Javadocs are now retained from the upstream distribution. This is just a temporary measure until gjdoc works (closes: #265746) -- Kalle Kivimaa Sat, 13 Nov 2004 16:00:00 +0200 jakarta-log4j1.2 (1.2.8-7) unstable; urgency=high * Javadocs are now correctly generated (closes: #265746) -- Kalle Kivimaa Sun, 15 Aug 2004 15:00:00 +0300 jakarta-log4j1.2 (1.2.8-6) unstable; urgency=high * rules script now correctly includes log4j.dtd (closes: #265704) * Bogus libmx4j-java classes removed from jikes classpath (closes: #265710) -- Kalle Kivimaa Sat, 14 Aug 2004 18:00:00 +0300 jakarta-log4j1.2 (1.2.8-5) unstable; urgency=low * rules script was missing two removes related to bug #221236. -- Kalle Kivimaa Fri, 13 Aug 2004 12:30:00 +0300 jakarta-log4j1.2 (1.2.8-4) unstable; urgency=low * Builds from source (closes: #221236) (removed chainsaw and lf5 parts, these will be available in liblog4j1.2-contrib-java) * Adopted the package to pkg-java-maintainers (closes: #263869) -- Kalle Kivimaa Fri, 13 Aug 2004 11:00:00 +0300 jakarta-log4j1.2 (1.2.8-3) unstable; urgency=low * Changed section from contrib to main. (closes: #237362, #230441) * Modified depends to depend on java1-runtime or java2-runtime. -- Benoit Joly Sat, 27 Mar 2004 15:42:06 -0500 jakarta-log4j1.2 (1.2.8-2) unstable; urgency=low * New description. -- Benoit Joly Wed, 23 Apr 2003 00:14:26 -0400 jakarta-log4j1.2 (1.2.8-1) unstable; urgency=low * New package for version 1.2 of the log4j API. (closes: #188708) -- Benoit Joly Thu, 10 Apr 2003 00:03:47 -0400