-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 29 Dec 2021 11:44:21 +0100 Source: apache-log4j2 Architecture: source Version: 2.17.1-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Closes: 1002813 Changes: apache-log4j2 (2.17.1-1) unstable; urgency=high . * Team upload. * New upstream version 2.17.1. - Fix CVE-2021-44832: Apache Log4j2 is vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol. Thanks to Salvatore Bonaccorso for the report. (Closes: #1002813) Checksums-Sha1: f813d89a019d3d44d85af95584936d8925b96aa4 3019 apache-log4j2_2.17.1-1.dsc e1c06710e675182f651e8ce0784baacf806ecb55 1291432 apache-log4j2_2.17.1.orig.tar.xz bb35850181b0860bd2903f7062e0e4d9ea8a9d1d 7664 apache-log4j2_2.17.1-1.debian.tar.xz fa6483acc9587e0d02a49557ee9f1063c8ef84bb 14846 apache-log4j2_2.17.1-1_amd64.buildinfo Checksums-Sha256: b9a277fc77c1f885dfd1245f5ffb39dd134cc7ddc3683f9ed74f8b1ab5c5c1e9 3019 apache-log4j2_2.17.1-1.dsc c7139fdcad10a8470da5c3f8d818c3eefe63c88e21518c27e558048ed3b90b15 1291432 apache-log4j2_2.17.1.orig.tar.xz 118439225ec8cf5a5c63b0b59ef7311026be74a9c012d698e907cf5b3f4188fe 7664 apache-log4j2_2.17.1-1.debian.tar.xz 348c147376f252582e75db839c112a4f11e8abb9381cc1bc43ba2f8cdb64cbbe 14846 apache-log4j2_2.17.1-1_amd64.buildinfo Files: d702a1fb3bf2a5cf2e6cd93f7ffc672f 3019 java optional apache-log4j2_2.17.1-1.dsc 6699f6c7aff5a7bb0ae6be954e0ee863 1291432 java optional apache-log4j2_2.17.1.orig.tar.xz abb8db63adfe302f10fb62aae463d66f 7664 java optional apache-log4j2_2.17.1-1.debian.tar.xz 09800483666d7f9218b8493683d3f058 14846 java optional apache-log4j2_2.17.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmHMQ9BfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkF6IQAJBsiEevHMm9QPYQLWlehP+o56YHux+j39Tt +Fc1XCC0OQaovFS5FV71hauDTj6DR/kdQ1DdRvkh4aWFGjQCANfUfqU1LO4bI3s7 +WwfcFxxoEoQND2pBLwwOKVss43sfSnab+Iyb20GfauxWhw9IEgff/mlGIU8wixJ NhNgw5xVeVT9qoOYI5yRPE8FhPCoqxYED+Fuforg3uKAzhh1FaXIIE7ss5+n0rnM CNu+vNYl+CvVpE3xfwDTVxudwTRn0qhUxlvNKzawQanWKCuYmdrihnjiywZFT9tO xgE9V337X1iVPSn3ZEck6EQG4VZswS6zDtEk90RVysuuZK0wEGNDX+7/h7PbHPmo iLNlud8qG+Fc1aDAbLiFVdHidlpdStoHiIF1ID15z2JcnW7+z2WKybRJ1kwbvaOB WP4OiuqeOEhjLNTyDIvWdu+xC25/BW/jGFHEP1Piw1V8daJ+PEqVSuP+J252eQ6q anfDZcq4FCsXbkEe5bdy1Aow13E+iXocQSRhHMH6WsEJWbIy8EC3mocBkZ3M+iuu 4hPvsjDOCc/zdplpCYDIk4vNlcmweOPeGmVVt73YiYQdatRNn0vGIQNJpnQkDT2+ 3ETAZLXSvHoGhKtOtSUADeZD8/XfRviwBdJb4HHVcCu7y/sKMnBLxZ9/ml8qLO2W N2DgtyZQ =pzaA -----END PGP SIGNATURE-----
