-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 26 Dec 2021 21:40:43 CET Source: apache-log4j2 Binary: liblog4j2-java Architecture: source Version: 2.12.3-0+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: liblog4j2-java - Apache Log4j - Logging Framework for Java Checksums-Sha1: 020377c9eefccdb44f280d7379c82bdcef162f47 3024 apache-log4j2_2.12.3-0+deb9u1.dsc a9144816470dcb574159dc4736889d982f4aded0 1118852 apache-log4j2_2.12.3.orig.tar.xz de887f9572a90fa942b7edaac876ebc11b6e12ed 6748 apache-log4j2_2.12.3-0+deb9u1.debian.tar.xz a17c74a8bea851da1560a85454ab2cb7b29107b3 17215 apache-log4j2_2.12.3-0+deb9u1_amd64.buildinfo Checksums-Sha256: 7246b7c191e012a2a238ebdf81fcd389951bf1b7334a9fbc06ec6090c76f1248 3024 apache-log4j2_2.12.3-0+deb9u1.dsc 8a4c541dba5295e52aad750d899c477bc8f6bb9749879ab1dfae8ba6b1af002c 1118852 apache-log4j2_2.12.3.orig.tar.xz d0ba1558229c9ec5dab4b12ef5e82ff5191d0adedf53a9770d80454c83fd1ff9 6748 apache-log4j2_2.12.3-0+deb9u1.debian.tar.xz 7ce71aa2b4b448cec0daba3ba9e08d1d72d64df494158c5b0d4abccb5570b28c 17215 apache-log4j2_2.12.3-0+deb9u1_amd64.buildinfo Changes: apache-log4j2 (2.12.3-0+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2020-9488: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. * Fix CVE-2021-45105: Apache Log4j2 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. Files: e77c2bd23e10d21abec2ab7c7d381b4c 3024 java optional apache-log4j2_2.12.3-0+deb9u1.dsc e8997d9a59f23c9d6678841040232dcb 1118852 java optional apache-log4j2_2.12.3.orig.tar.xz 0f8b318a775f1c31c335ff4d5b11abd0 6748 java optional apache-log4j2_2.12.3-0+deb9u1.debian.tar.xz 6624af9a160662c7932770ab6e52fc5e 17215 java optional apache-log4j2_2.12.3-0+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmHI03NfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HktxsP/R6OcPVjOLWCzqWk+S2NtPuWkZ4dzvYJmseM 79lZCdaaRF9U99b0451tutPn1lIyprKOV+O+PP6kguiyDHJ0hjqOQXzs2F3vly9Y qGcv4B/g5UyjlKpz4wJOJdQDxxPqhKuvIkJd2yDT3Y0X7ybYnaD3QFf+cTKMIPa5 0FpI12VhXTHSgF69Wq8YAX+U9VaMp/G4ybj1Q76rPHW4mB48bszHx7Zid1hGLiNO kjrgecYugf/LbmQtS28nqz594niQIE6hr5eL6zvd5D8csQlBeT6QtaUnYu4yIfFo n1awEkiwhi++jCY2g0009aIrS2gPw/ZdPg/JDBJBIVWr81G2pZ+TLOXsyRJhbAXK oNWxrWmWqzkHdMGAg+fC4jgSe9h40Oo1SYEMXxww4vUPl3vgYwpH7Q8Nln38YyV9 MLKd6u48a5u7AUii9tkkJNcHyCbfy3Fq5hryIXABlDeO5rOzLCjd3yvNvMdmOTHV kN2tB0ewoMNaF6j3KZoGSrPrBoZHbBBKWQFXM2viX4W5c2oKm0j1Kyzz/uB21ls1 f7DrxL7kpfSU3rRbqidlTieYDmulQU7vYl/9PzqaRJjiJmHNDqs3e1yeg3QfC6Q0 pDQOqNvpOZf9jxVuZUaNh6qoY118JL8WurwWuYdyMySBrSb5XOAjOJVxCU660kb+ GT2VSzFo =rvOm -----END PGP SIGNATURE-----