apache-log4j1.2 - Debian Package Tracker

general

source: apache-log4j1.2 (main)
version: 1.2.17-11
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Ludovic Claude [DMD] – Jakub Adam [DMD] – Varun Hiremath [DMD] – Torsten Werner [DMD] – Emmanuel Bourg [DMD]
arch: all
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.2.17-10+deb11u1
oldstable: 1.2.17-11
stable: 1.2.17-11
testing: 1.2.17-11
unstable: 1.2.17-11

versioned links

1.2.17-10+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.17-11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

liblog4j1.2-java
liblog4j1.2-java-doc

action needed

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-34480: Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Created: 2026-04-12 Last update: 2026-05-08 17:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-34480: Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Created: 2026-04-12 Last update: 2026-05-08 17:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-34480: Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Created: 2026-04-12 Last update: 2026-05-08 17:30

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-34480: Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Created: 2026-04-12 Last update: 2026-05-08 17:30

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-34480: Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Created: 2026-04-12 Last update: 2026-05-08 17:30

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

liblog4j1.2-java could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2026-05-11 23:30

2 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 161f2428018a3df2ed0dc68fe82c47b178e940e1
Merge: 430143f 150f4ed
Author: Alexandre Detiste <alexandre.detiste@gmail.com>
Date:   Sun Sep 7 21:25:08 2025 +0200

    Merge branch 'multiarch-fixes' into 'master'
    
    Apply multi-arch hints
    
    See merge request java-team/apache-log4j1.2!1

commit 150f4ed79f6b5c8b31e82386601e3a53b15dda9a
Author: Janitor <jelmer+janitor@jelmer.uk>
Date:   Sun Sep 7 19:25:07 2025 +0000

    Apply multi-arch hints

Created: 2025-09-07 Last update: 2026-05-10 06:33

lintian reports 12 warnings normal

Lintian reports 12 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-04-11 Last update: 2024-02-28 15:02

debian/patches: 8 patches to forward upstream low

Among the 9 debian patches available in version 1.2.17-11 of the package, we noticed the following issues:

8 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-26 15:54

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.6.0).

Created: 2022-05-11 Last update: 2026-03-31 15:01

news

[rss feed]

[2022-03-05] Accepted apache-log4j1.2 1.2.17-10+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2022-02-13] Accepted apache-log4j1.2 1.2.17-8+deb10u2 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2022-02-02] apache-log4j1.2 1.2.17-11 MIGRATED to testing (Debian testing watch)
[2022-01-31] Accepted apache-log4j1.2 1.2.17-7+deb9u2 (source) into oldoldstable (Markus Koschany)
[2022-01-31] Accepted apache-log4j1.2 1.2.17-11 (source) into unstable (Markus Koschany)
[2021-02-10] apache-log4j1.2 1.2.17-10 MIGRATED to testing (Debian testing watch)
[2021-02-05] Accepted apache-log4j1.2 1.2.17-10 (source) into unstable (Emmanuel Bourg)
[2020-05-17] Accepted apache-log4j1.2 1.2.17-7+deb9u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2020-05-16] Accepted apache-log4j1.2 1.2.17-8+deb10u1 (source all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2020-05-15] Accepted apache-log4j1.2 1.2.17-8+deb10u1 (source all) into stable->embargoed, stable (Debian FTP Masters) (signed by: Markus Koschany)
[2020-05-15] Accepted apache-log4j1.2 1.2.17-7+deb9u1 (source all) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Markus Koschany)
[2020-01-15] apache-log4j1.2 1.2.17-9 MIGRATED to testing (Debian testing watch)
[2020-01-12] Accepted apache-log4j1.2 1.2.17-5+deb8u1 (source all) into oldoldstable (Markus Koschany)
[2020-01-11] Accepted apache-log4j1.2 1.2.17-9 (source) into unstable (Markus Koschany)
[2017-10-29] apache-log4j1.2 1.2.17-8 MIGRATED to testing (Debian testing watch)
[2017-10-21] Accepted apache-log4j1.2 1.2.17-8 (source) into unstable (Emmanuel Bourg)
[2015-11-23] apache-log4j1.2 1.2.17-7 MIGRATED to testing (Britney)
[2015-11-17] Accepted apache-log4j1.2 1.2.17-7 (source all) into unstable (Markus Koschany)
[2015-07-13] apache-log4j1.2 1.2.17-6 MIGRATED to testing (Britney)
[2015-07-07] Accepted apache-log4j1.2 1.2.17-6 (source all) into unstable (Hilko Bengen)
[2014-10-06] apache-log4j1.2 1.2.17-5 MIGRATED to testing (Britney)
[2014-09-30] Accepted apache-log4j1.2 1.2.17-5 (source all) into unstable (Emmanuel Bourg)
[2013-09-07] apache-log4j1.2 1.2.17-4 MIGRATED to testing (Debian testing watch)
[2013-08-27] Accepted apache-log4j1.2 1.2.17-4 (source all) (Emmanuel Bourg)
[2013-07-07] apache-log4j1.2 1.2.17-3 MIGRATED to testing (Debian testing watch)
[2013-06-26] Accepted apache-log4j1.2 1.2.17-3 (source all) (Emmanuel Bourg) (signed by: Niels Thykier)
[2013-05-17] apache-log4j1.2 1.2.17-2 MIGRATED to testing (Debian testing watch)
[2013-05-07] Accepted apache-log4j1.2 1.2.17-2 (source all) (tony mancill)
[2013-04-04] Accepted apache-log4j1.2 1.2.17-1 (source all) (Emmanuel Bourg) (signed by: tony mancill)
[2011-12-12] apache-log4j1.2 1.2.16-3 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 12)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.2.17-11build1