-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 12 Dec 2021 02:17:57 +0100 Source: apache-log4j2 Architecture: source Version: 2.7-2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Changes: apache-log4j2 (2.7-2+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2021-44228: Chen Zhaojun of Alibaba Cloud Security Team discovered that JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Checksums-Sha1: ded2203a8ea2c7c284eb678ffc74187d49f64883 3040 apache-log4j2_2.7-2+deb9u1.dsc 0cba98226e45d7eecf411ab391c8765180eb2d45 857800 apache-log4j2_2.7.orig.tar.xz 3934ee630c65218f12e543440a4aa2995dbe7a79 9500 apache-log4j2_2.7-2+deb9u1.debian.tar.xz f4028bf964686f017abfbe6b4540c4a87e745a20 8396 apache-log4j2_2.7-2+deb9u1_source.buildinfo Checksums-Sha256: b6ea1ce0bb87444eb7c98714a2867d239c2c04f204bbd1b9958353364436ad46 3040 apache-log4j2_2.7-2+deb9u1.dsc a18502b624769d24aa470c3cef134ec7d2f2578342d4afda552a457e88d1c177 857800 apache-log4j2_2.7.orig.tar.xz 5e99f6ac3c1255e4bfcd49de918a687490d3ca30e157596fb16124bfc6cdd57f 9500 apache-log4j2_2.7-2+deb9u1.debian.tar.xz 45d7c95561ebdba0271cc614c5f0813aa0ad5f6cc86a860ed8163a2563f093c1 8396 apache-log4j2_2.7-2+deb9u1_source.buildinfo Files: f28dec97e92f76d12fa0913aaa51ab51 3040 java optional apache-log4j2_2.7-2+deb9u1.dsc 537212527a309018ad3e2b0dca04ddc1 857800 java optional apache-log4j2_2.7.orig.tar.xz fc662fec5ef07404b3b5ca5281d583e4 9500 java optional apache-log4j2_2.7-2+deb9u1.debian.tar.xz 76be0bac33f9eafbba2655662a2a6520 8396 java optional apache-log4j2_2.7-2+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG2A/VfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hkr4wP/2/XJY47Yq6CESbAYXh9m14HW4WdL1ovgGXk y9ZpA6KE6fKjr9iZF6QZzNYjngaLpQw1oBdD3+STYM2cSfTHTD6fHCGLgV9+MMka 4WWaCu3/+BLE6K4S3wp51fzkb8yh4myJnkRnIdD0Fo4sOm6hqIG74AjfmcqszyqA 8nkbdGHackIUfFrcBYf8nRWh6NU4uYuH6k2+bzk/jLeErvyT46PH09igExMnwDY2 NRZb7wjpWdCTF+npCcLTD/O7Jxg8RmaPg8G+dn7VskqpTW8lMo2YotWL5Lbb2OBO vxwoMj/Vx8kdc7hKsRdBsJqQGYlyfqhy/Web6KgjmxkWOGH5/WxOwHl+PxrCzTVK lT7Vv8Ua5JNKVn0y0twFYuZ18mItzVHG3ZRxcHq7k6Cq8hgLq/G5ZkuPfIYVUlGX m1Wqhd6QxgtV4RuSDWb8NHHlHkGfia5ASMB6DsYAOPLG5du9aTyoygsx+mv3c6IC hW2O+Nq8HHzBsfh6kHj6EIjK12JHfxv6iYHRU+qvi9mkn4cdTfcCHjxYgER7BLvb vaym7o0qu8faX8wu4n4xsjyXKb57OH8x/BsIp3R9M4Zh/FNA1+kSaAGPgQHOYqsh D6aAv2L3rNLdNp7fof9IDGs1LVa6XMsDCWaIUMgX5QTSsuCFuEaJxPGnk5xi5n9/ QfN3yQ/7 =ShEh -----END PGP SIGNATURE-----