Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org
Hello, I would like to fix CVE-2021-4104, CVE-2022-23302, CVE-2022-23305 and CVE-2022-23307 in apache-log4j1.2. These issues are less severe because the affected classes are not used by any of the reverse-dependencies. The features are not enabled by default. In order to completely mitigate against the vulnerabilities the classes have been removed completely. I believe this is safer than just stating the workaround in the security tracker. Note that the fix in unstable differs from this approach because we recently discovered a new (unofficial) project that provides security fixes for apache-log4j1.2 again. Since we would like to see more exposure of those changes first, we have decided to just remove the unused classes in stable and oldstable. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable Regards, Markus
apache-log4j1.2_bullseye.debdiff.gz
Description: application/gzip
