Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted apache-log4j2 2.17.1-1~deb11u2 (source) into oldoldstable-security
Date: Mon, 19 Jan 2026 19:30:20 +0000
Signed by: Markus Koschany <apo@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 19 Jan 2026 20:11:23 CET
Source: apache-log4j2
Architecture: source
Version: 2.17.1-1~deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 c0fe47a943872ac888fe36b77a80520d827140ae 3051 apache-log4j2_2.17.1-1~deb11u2.dsc
 e1c06710e675182f651e8ce0784baacf806ecb55 1291432 apache-log4j2_2.17.1.orig.tar.xz
 cfdc93fb1e4590d42ab8e7eb4de86ca768b2ff24 9868 apache-log4j2_2.17.1-1~deb11u2.debian.tar.xz
 1df0e3daa9c5bdb3a2444d0cd563d4df8b50334a 15550 apache-log4j2_2.17.1-1~deb11u2_amd64.buildinfo
Checksums-Sha256:
 7d4e92433f6a18489cbf557799f5629c238c84dde7590f92b1e0bfc1f18d0629 3051 apache-log4j2_2.17.1-1~deb11u2.dsc
 c7139fdcad10a8470da5c3f8d818c3eefe63c88e21518c27e558048ed3b90b15 1291432 apache-log4j2_2.17.1.orig.tar.xz
 dfa713ca05cfcf9cba49eabeac93c453dd2be43579f637fb743d975661e26b0c 9868 apache-log4j2_2.17.1-1~deb11u2.debian.tar.xz
 cdd6cf6f479b2d14546267d4f95762f230b9c133abb8de4696c7a08f091941d8 15550 apache-log4j2_2.17.1-1~deb11u2_amd64.buildinfo
Changes:
 apache-log4j2 (2.17.1-1~deb11u2) bullseye-security; urgency=medium
 .
   * Team upload.
   * The Socket Appender in Apache Log4j Core does not perform TLS hostname
     verification of the peer certificate, even when the verifyHostName
     configuration attribute or the log4j2.sslVerifyHostName system property is
     set to true. This issue may allow a man-in-the-middle attacker to intercept
     or redirect log traffic under specific and hard to exploit conditions.
Files:
 258b9bc663276eca0284c21a7aeff59e 3051 java optional apache-log4j2_2.17.1-1~deb11u2.dsc
 6699f6c7aff5a7bb0ae6be954e0ee863 1291432 java optional apache-log4j2_2.17.1.orig.tar.xz
 c894e072eca35eeeb7ede617007ed39a 9868 java optional apache-log4j2_2.17.1-1~deb11u2.debian.tar.xz
 1bd4e4d4d0ba302860496524e3155db1 15550 java optional apache-log4j2_2.17.1-1~deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmlugm5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkgwgQALm8rFTzFvXcFKG+M0pd+N4mVyd7Kl9beVE/
eJ4pgGeImBen7kCrHjWK8B28L13AeFFRRMvFcSgwsOLWE9o2KO9bktqcHnQrjkvU
bL+ZdpFZiKl8Czqr1pKBE6p55OQWHnEfjMiK1TCryAR4J1idGy6WkoBO9l7925Jq
FiXc3z/vYlmFHu2JeKtr9CtRb6l42PKoNGTa9s/ddYgFVgangz/AzPHm77kWJ2JT
gYgbRJ5rRZh544InJbD9g5/IpDvgFtdPV0lBNu6q+okO8PpPSjtcF/Dc7pnt9bES
djbu1ypVDA7uc5gbrqdqDPeLtMri++fzk7d5KD+Qjk+WCud00MP3ju6d6OjH6e/W
c9O/vJ7jALPuIAtNlq950GtIYj8pjs4dmukkGUyN54yN09pdsdUPBRFPIZ0xwxG2
zlNw/p1sz6Wjpk67Zu9TwRuig567Qs+WMdMYD0tXIPQcsG3i3ZLxkHT0jmvfPyib
hGzmMErj9V9VG+Ojm/56RiLvJH83dqr02AsZV4h6gTyJj59HBe/Pn+rZtYA/hrQM
RVP6bzeropJnDZhylfCpu+GFsDOdcHVpAlYyNWmnx1Eh8s6ad77iKodki3DWikex
naBL1h2DaVhme/6AENzfK2/Cl/ZccHiGYcdgAOLItdL8g6WXGA3bayoLXp2ZRlI4
NpcO7tXH
=Ax/l
-----END PGP SIGNATURE-----

News for package apache-log4j2