-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Dec 2021 02:38:06 +0100 Source: apache-log4j2 Architecture: source Version: 2.16.0-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Closes: 1001729 Changes: apache-log4j2 (2.16.0-1) unstable; urgency=high . * Team upload. * New upstream version 2.16.0. - Fix CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Thanks to Salvatore Bonaccorso for the report. (Closes: #1001729) Checksums-Sha1: 84452ae9920e07498d190f23dbb352de07cec021 3019 apache-log4j2_2.16.0-1.dsc 29ed458aa60e1821908564fd66438c6e9206e282 1285464 apache-log4j2_2.16.0.orig.tar.xz b00e68c97b8d86f9a0320fc5e505382862693ac2 7424 apache-log4j2_2.16.0-1.debian.tar.xz c4a092f6a451e43d3a1bebe5f30d9c391ad8e20f 14600 apache-log4j2_2.16.0-1_amd64.buildinfo Checksums-Sha256: 0303d3a9221df4a1f8d71c6192fab55df6b7e3129d0ce1f0a05fa1b346b011e1 3019 apache-log4j2_2.16.0-1.dsc d36a7556e7027819aaceef02838dcfaa3dd368f74f92b9585b2b6a442eb2194f 1285464 apache-log4j2_2.16.0.orig.tar.xz bac5638d94b45cb184a15a7ae1e21f9b2facd58671a3cc78a5a83bc97d5037e5 7424 apache-log4j2_2.16.0-1.debian.tar.xz 679bf0ff52a54ccb8d8b48b26e7248bd2bb9b192819d29c99935c81aead9f687 14600 apache-log4j2_2.16.0-1_amd64.buildinfo Files: 6db3941ea2f5e950f40eb254127ecb1b 3019 java optional apache-log4j2_2.16.0-1.dsc d7a5e122b9ff61c6272c62347b25986b 1285464 java optional apache-log4j2_2.16.0.orig.tar.xz 4ba7944a2006edf1a742a03cf1a24bf2 7424 java optional apache-log4j2_2.16.0-1.debian.tar.xz 0196f7afd4acc39fc3c392ca44e261f7 14600 java optional apache-log4j2_2.16.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG5SFpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkXuQP/Ag0g9Wx4umWdxrxyM7px1yz8RyhNgJMSMzc /xWy6JLS7dltGYfyh3uzlcnxWjudAJ2X3lRYl7fTEu/S6lVpypSs3BsYci3PcZft ePzM0G/W+B3cHiE452CTDgUqU+fH76HeMQq2Z4vOlsq2pzHohoHAuuMhdo5gAd46 zsxtOBCtXlHpOgJc8EEmCUoC/60aDQ8uy7s8bWhJ7oJvJNIr0iT4BnOoZzaihVzN 9ioUEUfHeiaMBqXYoIWpZZrAAte1ZDVD+5EPEXY8OoygsDOaaLtJZxFJhfhuwOut E34XeR9RcWsk7vmdeQri+dQlAOaTSaMwJkBUeu14khzLXX34uoJUeAJZAQxXQuSn UFNOFMUQt4oqHTjurW7KjMRqrqdHjtfjbhIwnSHnAfrJXbink4tiUbj1ozmi9CKX VRVsMKWFhvvPKAphXxfVpV137Ky72TZP/OuOjprNly5WzncYhfHfIxVpcRTo4YLB aHp+vkUNat51SPmMOZH6MNhEVqlAavapwb2Of6nxuDsj2WYVjHDW6qYs7ZfO0Xxm DgqyHLribMGf31agzVG1cjXr/4fQk++NfB+YPMWJS3AXmdMHv/vBzf9cynTwfsfn T7PO7FJOlP4kNJ3ebxLLTSGaH/WZh7Kz0JQq24EHqHBS68jA+cmiTdjm7fbTC06v FU/IaJ7+ =P7V6 -----END PGP SIGNATURE-----