Your message dated Sat, 11 Jan 2020 22:34:14 +0000 with message-id <e1iqpkg-000ggf...@fasolo.debian.org> and subject line Bug#947124: fixed in apache-log4j1.2 1.2.17-9 has caused the Debian Bug report #947124, regarding apache-log4j1.2: CVE-2019-17571 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 947124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947124 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-log4j1.2 Version: 1.2.17-8 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1.2.17-7 Control: found -1 1.2.17-5 Hi, The following vulnerability was published for apache-log4j1.2. CVE-2019-17571[0]: | Included in Log4j 1.2 is a SocketServer class that is vulnerable to | deserialization of untrusted data which can be exploited to remotely | execute arbitrary code when combined with a deserialization gadget | when listening to untrusted network traffic for log data. This affects | Log4j versions up to 1.2 up to 1.2.17. Note that this issue correponds to the old CVE-2017-5645 for the 2.x branch codebasis[1]. 1.2 reached end of life in 2015 accordingly, and the "right move" would be to switch to 2.x. Which raises a question from security support point of view: We would need to fade out apache-log4j1.2 for bullseye at least now right? From a quick check via a simulated dak rm, it looks right now impossible to actually remove it. Are there current plans from the Debian Java Maintainers for that? Or is there something I currently just miss from the big picture? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17571 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 [1] https://www.openwall.com/lists/oss-security/2019/12/19/2 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apache-log4j1.2 Source-Version: 1.2.17-9 We believe that the bug you reported is fixed in the latest version of apache-log4j1.2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 947...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-log4j1.2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 11 Jan 2020 23:06:27 +0100 Source: apache-log4j1.2 Architecture: source Version: 1.2.17-9 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 947124 Changes: apache-log4j1.2 (1.2.17-9) unstable; urgency=high . * Team upload. * Fix CVE-2019-17571. (Closes: #947124) Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. * Switch to debhelper-compat = 12. * Declare compliance with Debian Policy 4.4.1. * Use canonical VCS URI. Checksums-Sha1: 7509b3e1b006af179cb8fbe4f80e9c87702fcfc8 2456 apache-log4j1.2_1.2.17-9.dsc 473a6d296a4cb7d6a73a5dbea95aa9ef6615cf22 9892 apache-log4j1.2_1.2.17-9.debian.tar.xz c6137a1443683270b7a06a61e8337c46de1d125a 9175 apache-log4j1.2_1.2.17-9_amd64.buildinfo Checksums-Sha256: 94af9dc41077911b2a9f18cd01efe56996cfe5dcabaf8541e48718c0cddb9569 2456 apache-log4j1.2_1.2.17-9.dsc 303485eef0bc8c6c1de0b60e89aec879a34df74af74f2a136052c9c93c983363 9892 apache-log4j1.2_1.2.17-9.debian.tar.xz 69da4f0f1303822592f03e22badb875917c2e7b61eab97e817eb4463d2e6a012 9175 apache-log4j1.2_1.2.17-9_amd64.buildinfo Files: 5b207c7553c7131833d170819c11c22f 2456 java optional apache-log4j1.2_1.2.17-9.dsc df3445aecf28c89eaf78d5e6e20be69d 9892 java optional apache-log4j1.2_1.2.17-9.debian.tar.xz e2c0334016aa0217f7f0ba039e6ad53f 9175 java optional apache-log4j1.2_1.2.17-9_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl4aR8tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk0RUP/RsT0dkqlimlZgvcUbCq8PalXEzqIi/nG5r5 Be9NbHAYvRWTK0dQ62LaEC6+NPfOaL5sQgIHXE+r0+QrU8O1seWMXNnSnUtPXEbP qxbL0lP2zSqIAnCWLuJctkhjD6xyc5kI+g8t2XWM7A/fp/UPvlaxCd3DttErtUa7 7A/B7twkHwrhx94z+ugIjHzdcmoje0Ii6PR2daawiSZWBfFuTVCrKdm6vZJpb+8E TZlxqI/uxSSEZaZ02zpwPJf5rCIpCkFyBT5200eDl5a5fSXTJIvhn+dVjOL7O1bZ +iDkDthK1anlaRjGgoANeWsJUSw+AuoBo5urnwGmG5vXjmSA2ni9weHha6pES6SK FVv+AuSKMcSlxhCModOjTNilOefre4h8omORMoXnKiR2Ez211OnaVYwEVmqnB427 FlIP5yqVlKO8JhvDgO+BdxGcdFoF7LgFl86UUF1dG3maO6tuJ04N4g+F1ynYUd+C UgEQv7YKoqbUGqnHj95I6HDrhbQoQN+4XXIDWOnIXWeCXalLw9TmvZGhMj8ugIGv sy3g8oYWUAIvgLBOEi6EnXv65LdymNwskg3VQlna3+lx+7NHPfxSN6QEs36zQqJI Tlnp9xZVBRhkCyGJTfJ3C35YxiiROM28cvCsYwb1IGpIZkugRFrzlwZfIIReryM8 7lP8eEVr =0orB -----END PGP SIGNATURE-----
--- End Message ---
