Register | Log in

apache-log4j2

Apache Log4j - Logging Framework for Java

Choose email to subscribe with

general

source: apache-log4j2 (main)
version: 2.19.0-2
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Emmanuel Bourg [DMD]
arch: all
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.17.1-1~deb11u1
o-o-sec: 2.17.0-1~deb11u1
oldstable: 2.19.0-2
stable: 2.19.0-2
testing: 2.19.0-2
unstable: 2.19.0-2

versioned links

2.17.0-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.17.1-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.19.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

liblog4j2-java

action needed

A new upstream version is available: 2.25.3 high

A new upstream version 2.25.3 is available, you should consider packaging it.

Created: 2025-11-26 Last update: 2025-12-25 03:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-68161: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Created: 2025-12-19 Last update: 2025-12-21 10:02

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-68161: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Created: 2025-12-19 Last update: 2025-12-21 10:02

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-68161: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Created: 2025-12-19 Last update: 2025-12-21 10:02

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2025-68161: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Created: 2025-12-19 Last update: 2025-12-21 10:02

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2025-68161: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Created: 2025-12-19 Last update: 2025-12-21 10:02

lintian reports 9 warnings high

Lintian reports 9 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2022-12-16 15:48

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2025-07-23 Last update: 2025-12-25 07:30

3 open merge requests in Salsa normal

There are 3 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2025-08-19 06:28

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.6.1).

Created: 2022-12-17 Last update: 2025-12-23 20:00

news

[2022-12-28] apache-log4j2 2.19.0-2 MIGRATED to testing (Debian testing watch)
[2022-12-22] Accepted apache-log4j2 2.19.0-2 (source) into unstable (tony mancill)
[2022-12-20] apache-log4j2 2.19.0-1 MIGRATED to testing (Debian testing watch)
[2022-12-15] Accepted apache-log4j2 2.19.0-1 (source) into unstable (Emmanuel Bourg)
[2022-05-10] apache-log4j2 2.17.2-1 MIGRATED to testing (Debian testing watch)
[2022-05-05] Accepted apache-log4j2 2.17.2-1 (source) into unstable (Markus Koschany)
[2022-02-13] Accepted apache-log4j2 2.17.1-1~deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2022-02-13] Accepted apache-log4j2 2.17.1-1~deb10u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-31] apache-log4j2 2.17.1-1 MIGRATED to testing (Debian testing watch)
[2021-12-29] Accepted apache-log4j2 2.12.4-0+deb9u1 (source) into oldoldstable (Markus Koschany)
[2021-12-29] Accepted apache-log4j2 2.17.1-1 (source) into unstable (Markus Koschany)
[2021-12-26] Accepted apache-log4j2 2.12.3-0+deb9u1 (source) into oldoldstable (Markus Koschany)
[2021-12-24] Accepted apache-log4j2 2.17.0-1~deb10u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-24] Accepted apache-log4j2 2.17.0-1~deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-24] Accepted apache-log4j2 2.15.0-1~deb10u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-24] Accepted apache-log4j2 2.16.0-1~deb10u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-21] apache-log4j2 2.17.0-1 MIGRATED to testing (Debian testing watch)
[2021-12-18] Accepted apache-log4j2 2.17.0-1~deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-18] Accepted apache-log4j2 2.17.0-1~deb10u1 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-18] Accepted apache-log4j2 2.17.0-1 (source) into unstable (Markus Koschany)
[2021-12-17] apache-log4j2 2.16.0-1 MIGRATED to testing (Debian testing watch)
[2021-12-16] Accepted apache-log4j2 2.16.0-1~deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-16] Accepted apache-log4j2 2.16.0-1~deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-16] Accepted apache-log4j2 2.16.0-1~deb10u1 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-15] Accepted apache-log4j2 2.16.0-1 (source) into unstable (Markus Koschany)
[2021-12-14] apache-log4j2 2.15.0-1 MIGRATED to testing (Debian testing watch)
[2021-12-12] Accepted apache-log4j2 2.7-2+deb9u1 (source) into oldoldstable (Markus Koschany)
[2021-12-12] Accepted apache-log4j2 2.15.0-1~deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-11] Accepted apache-log4j2 2.15.0-1~deb10u1 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Markus Koschany)
[2021-12-11] Accepted apache-log4j2 2.15.0-1~deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Markus Koschany)

1
2

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 1

links

homepage
lintian (0, 9)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.19.0-2build1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing