Your message dated Tue, 18 Apr 2017 13:03:51 +0000
with message-id <e1d0snp-000amt...@fasolo.debian.org>
and subject line Bug#860489: fixed in apache-log4j2 2.7-2
has caused the Debian Bug report #860489,
regarding apache-log4j2: CVE-2017-5645: socket receiver deserialization 
vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
860489: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860489
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache-log4j2
Version: 2.0~beta9-1
Severity: grave
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/LOG4J2-1863

Hi,

the following vulnerability was published for apache-log4j2.

CVE-2017-5645[0]:
Apache Log4j socket receiver deserialization vulnerability

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

This one might warrant a DSA, but please check back with
t...@security.debian.org .

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5645
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
[1] https://issues.apache.org/jira/browse/LOG4J2-1863

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: apache-log4j2
Source-Version: 2.7-2

We believe that the bug you reported is fixed in the latest version of
apache-log4j2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated apache-log4j2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 18 Apr 2017 14:30:00 +0200
Source: apache-log4j2
Binary: liblog4j2-java liblog4j2-java-doc
Architecture: source
Version: 2.7-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 liblog4j2-java - Apache Log4j - Logging Framework for Java
 liblog4j2-java-doc - Documentation for Apache Log4j 2
Closes: 860489
Changes:
 apache-log4j2 (2.7-2) unstable; urgency=medium
 .
   * Team upload.
   * Fixed CVE-2017-5645: When using the TCP socket server or UDP socket server
     to receive serialized log events from another application, a specially
     crafted binary payload can be sent that, when deserialized, can execute
     arbitrary code (Closes: #860489)
Checksums-Sha1:
 876caec08e0dd244c2f659a5929b77003362360e 2886 apache-log4j2_2.7-2.dsc
 e0d5b663d2238cc59c0d7a9e1efaea4aaa4825b9 8440 apache-log4j2_2.7-2.debian.tar.xz
 9c1f873b9743e386c1829f3f62d062a943fdac2e 14653 
apache-log4j2_2.7-2_source.buildinfo
Checksums-Sha256:
 dfa96b6d21c6c4d698640d2ba5e918306da215cdabf0dbc1b3c65686379e0d26 2886 
apache-log4j2_2.7-2.dsc
 68fef80f76648b9835ce7990a9238d86cff99af722e2d28a5528ddced3f07c71 8440 
apache-log4j2_2.7-2.debian.tar.xz
 33ce7f2156f8ec4ee5c9aebf0b54296343f772cd2aad6937eb550e47351e9b60 14653 
apache-log4j2_2.7-2_source.buildinfo
Files:
 ee59e794d0c7205f735742c58a83dd76 2886 java optional apache-log4j2_2.7-2.dsc
 c405df976dea2058f26495918141df8b 8440 java optional 
apache-log4j2_2.7-2.debian.tar.xz
 978daedb3c643314ebdb5030a63f5d5c 14653 java optional 
apache-log4j2_2.7-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlj2Cp8SHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsOzIP+wSzPlVMZO9SrnlPh9rlRL/p3DLYlAXB
Fh0LbqaN4IFur1LyzIUGfWFLXNdHQW/CSwfGql1hUC07MohRjAdznUQe0BQzAb2W
8KYUvabxnpkRoLaFJ+4Y1nC8X/fXTqp+2285oFWwmshp5nbQFynIgB+i6MxWab4m
dPuGD1bEtNqoA9XcVl3mKyHwHwNk+T7mpmTjRNyZ2HSCAu3s4fRHn/C8C8vs6k0c
iQ94coHJ18fMF1O1bKP9ShQt2W+eesmUI7AnaOVb1CE+UpziIGPRYz9WxAWLpSg+
zDY2eh0FEocPHZfuJPkngWGfjS6fjNsYx/HgEWJw2kZc8GQdk257VR++0cbPRzbc
rQJKizXC34E7lWu8U9jKVCG8SBOqbcITMUlgNut2a/qdAgELl4O/Nv5vTE67mF81
2uJ7FSRPShDQxlo9PRz+oJ7pRRKFJAULnYZBrAjsyqtWcrDI+/MpEhit21GX3Hs3
OiZS2wdHXyfxmzjk/AiDdkc669HHu0uWcGTVrZYY81hxBP1Jpn9cbXhCQ1CDW07b
TODQE1RF81fJtauNpp2yE3wqG9TlywY4SK6255PVIZDeUM+EbuTXV3YOgL3P1Lo7
sFCs0+meoqQXyPGjfiXo15qdj9bSF0QEiRogidtqYhVDIdNZ6GimVyVa1D6r3Smp
wHsiqOUV8l7u
=BcgQ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to