Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted apache-log4j2 2.12.3-0+deb9u1 (source) into oldoldstable
Date: Sun, 26 Dec 2021 21:00:13 +0000
Signed by: Markus Koschany <apo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 26 Dec 2021 21:40:43 CET
Source: apache-log4j2
Binary: liblog4j2-java
Architecture: source
Version: 2.12.3-0+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 liblog4j2-java - Apache Log4j - Logging Framework for Java
Checksums-Sha1:
 020377c9eefccdb44f280d7379c82bdcef162f47 3024 apache-log4j2_2.12.3-0+deb9u1.dsc
 a9144816470dcb574159dc4736889d982f4aded0 1118852 apache-log4j2_2.12.3.orig.tar.xz
 de887f9572a90fa942b7edaac876ebc11b6e12ed 6748 apache-log4j2_2.12.3-0+deb9u1.debian.tar.xz
 a17c74a8bea851da1560a85454ab2cb7b29107b3 17215 apache-log4j2_2.12.3-0+deb9u1_amd64.buildinfo
Checksums-Sha256:
 7246b7c191e012a2a238ebdf81fcd389951bf1b7334a9fbc06ec6090c76f1248 3024 apache-log4j2_2.12.3-0+deb9u1.dsc
 8a4c541dba5295e52aad750d899c477bc8f6bb9749879ab1dfae8ba6b1af002c 1118852 apache-log4j2_2.12.3.orig.tar.xz
 d0ba1558229c9ec5dab4b12ef5e82ff5191d0adedf53a9770d80454c83fd1ff9 6748 apache-log4j2_2.12.3-0+deb9u1.debian.tar.xz
 7ce71aa2b4b448cec0daba3ba9e08d1d72d64df494158c5b0d4abccb5570b28c 17215 apache-log4j2_2.12.3-0+deb9u1_amd64.buildinfo
Changes:
 apache-log4j2 (2.12.3-0+deb9u1) stretch-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2020-9488:
     Improper validation of certificate with host mismatch in Apache Log4j SMTP
     appender. This could allow an SMTPS connection to be intercepted by a
     man-in-the-middle attack which could leak any log messages sent through
     that appender.
   * Fix CVE-2021-45105:
     Apache Log4j2 did not protect from uncontrolled recursion from
     self-referential lookups. This allows an attacker with control over Thread
     Context Map data to cause a denial of service when a crafted string is
     interpreted.
Files:
 e77c2bd23e10d21abec2ab7c7d381b4c 3024 java optional apache-log4j2_2.12.3-0+deb9u1.dsc
 e8997d9a59f23c9d6678841040232dcb 1118852 java optional apache-log4j2_2.12.3.orig.tar.xz
 0f8b318a775f1c31c335ff4d5b11abd0 6748 java optional apache-log4j2_2.12.3-0+deb9u1.debian.tar.xz
 6624af9a160662c7932770ab6e52fc5e 17215 java optional apache-log4j2_2.12.3-0+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmHI03NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HktxsP/R6OcPVjOLWCzqWk+S2NtPuWkZ4dzvYJmseM
79lZCdaaRF9U99b0451tutPn1lIyprKOV+O+PP6kguiyDHJ0hjqOQXzs2F3vly9Y
qGcv4B/g5UyjlKpz4wJOJdQDxxPqhKuvIkJd2yDT3Y0X7ybYnaD3QFf+cTKMIPa5
0FpI12VhXTHSgF69Wq8YAX+U9VaMp/G4ybj1Q76rPHW4mB48bszHx7Zid1hGLiNO
kjrgecYugf/LbmQtS28nqz594niQIE6hr5eL6zvd5D8csQlBeT6QtaUnYu4yIfFo
n1awEkiwhi++jCY2g0009aIrS2gPw/ZdPg/JDBJBIVWr81G2pZ+TLOXsyRJhbAXK
oNWxrWmWqzkHdMGAg+fC4jgSe9h40Oo1SYEMXxww4vUPl3vgYwpH7Q8Nln38YyV9
MLKd6u48a5u7AUii9tkkJNcHyCbfy3Fq5hryIXABlDeO5rOzLCjd3yvNvMdmOTHV
kN2tB0ewoMNaF6j3KZoGSrPrBoZHbBBKWQFXM2viX4W5c2oKm0j1Kyzz/uB21ls1
f7DrxL7kpfSU3rRbqidlTieYDmulQU7vYl/9PzqaRJjiJmHNDqs3e1yeg3QfC6Q0
pDQOqNvpOZf9jxVuZUaNh6qoY118JL8WurwWuYdyMySBrSb5XOAjOJVxCU660kb+
GT2VSzFo
=rvOm
-----END PGP SIGNATURE-----
News for package apache-log4j2
