Your message dated Sun, 17 May 2020 18:17:26 +0000 with message-id <e1janqo-000a2s...@fasolo.debian.org> and subject line Bug#947124: fixed in apache-log4j1.2 1.2.17-7+deb9u1 has caused the Debian Bug report #947124, regarding apache-log4j1.2: CVE-2019-17571 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 947124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947124 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-log4j1.2 Version: 1.2.17-8 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1.2.17-7 Control: found -1 1.2.17-5 Hi, The following vulnerability was published for apache-log4j1.2. CVE-2019-17571[0]: | Included in Log4j 1.2 is a SocketServer class that is vulnerable to | deserialization of untrusted data which can be exploited to remotely | execute arbitrary code when combined with a deserialization gadget | when listening to untrusted network traffic for log data. This affects | Log4j versions up to 1.2 up to 1.2.17. Note that this issue correponds to the old CVE-2017-5645 for the 2.x branch codebasis[1]. 1.2 reached end of life in 2015 accordingly, and the "right move" would be to switch to 2.x. Which raises a question from security support point of view: We would need to fade out apache-log4j1.2 for bullseye at least now right? From a quick check via a simulated dak rm, it looks right now impossible to actually remove it. Are there current plans from the Debian Java Maintainers for that? Or is there something I currently just miss from the big picture? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17571 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 [1] https://www.openwall.com/lists/oss-security/2019/12/19/2 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apache-log4j1.2 Source-Version: 1.2.17-7+deb9u1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of apache-log4j1.2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 947...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated apache-log4j1.2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 02 May 2020 16:38:32 +0200 Source: apache-log4j1.2 Binary: liblog4j1.2-java liblog4j1.2-java-doc Architecture: source all Version: 1.2.17-7+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: liblog4j1.2-java - Logging library for java liblog4j1.2-java-doc - Documentation for liblog4j1.2-java Closes: 947124 Changes: apache-log4j1.2 (1.2.17-7+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2019-17571. (Closes: #947124) Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. Checksums-Sha1: ce9f1dcc0e56d66ca184e91446227245fdf74c7f 2497 apache-log4j1.2_1.2.17-7+deb9u1.dsc a03a876f4ada27f8053564b23bc04e30b6449ac5 9900 apache-log4j1.2_1.2.17-7+deb9u1.debian.tar.xz 29b16b3abc1cd94f7a5266de0ecd3eaea64d6acc 11600 apache-log4j1.2_1.2.17-7+deb9u1_amd64.buildinfo 2487f9e30f98fcceab0f717d0cf8b85c6ebea46f 248308 liblog4j1.2-java-doc_1.2.17-7+deb9u1_all.deb 18ba7701cdd240e4f1b46867ee59429a53cda2e8 430572 liblog4j1.2-java_1.2.17-7+deb9u1_all.deb Checksums-Sha256: 10a58d90a8b2c7c8ca6d2fc19e1799dc8c0cc1d78efba9bb79d2b736608f75b9 2497 apache-log4j1.2_1.2.17-7+deb9u1.dsc 963631dd761cf3275159450838d3460bfa8d7041159765a060de7a8e141c6c6d 9900 apache-log4j1.2_1.2.17-7+deb9u1.debian.tar.xz 78c17606857df9efe35463f3cb3d4205d821eb75983edddabe29afd9c73ceb01 11600 apache-log4j1.2_1.2.17-7+deb9u1_amd64.buildinfo 549886bf31a46846528055f5655d7885eacdbc360d8421cce531dbdc7f337af7 248308 liblog4j1.2-java-doc_1.2.17-7+deb9u1_all.deb 93ad2eb90ed0820adede976ab9b277a007db7e310a449ef128d5b8ddf690b484 430572 liblog4j1.2-java_1.2.17-7+deb9u1_all.deb Files: f8d6b1d379436c02dc2152c96352ce7a 2497 java optional apache-log4j1.2_1.2.17-7+deb9u1.dsc fd288d6c3d9bebfb1a60845568f0c048 9900 java optional apache-log4j1.2_1.2.17-7+deb9u1.debian.tar.xz d866856e963c7cdf7d3711f68495d7a4 11600 java optional apache-log4j1.2_1.2.17-7+deb9u1_amd64.buildinfo d36b14ed6875869cba5bf9ffcfb83753 248308 doc optional liblog4j1.2-java-doc_1.2.17-7+deb9u1_all.deb d1e37289a227840d4084211ba068583f 430572 java optional liblog4j1.2-java_1.2.17-7+deb9u1_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl63D6FfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkVvoP/RsbD31Yy/UznaEq6MrARp1R5Z5/Y1G5Or1E SNLAUYkf9fEoey45SsD6QRiGfybhuRm69QyabfDsTZhxxY1ENh5jsTMIIK7Xppl7 GZGta48idUu8CHOBSDS6bM+Rqw/GtfrvGTl4jCHQB7FXhGtEmGd5oyZxAWjscH89 A13jnUU8BWmuoabN5fY60pnVt2+pZucvHrJVmyLXNcPMtYOdAODSJEPSLayXnMMk Vr6yNCdjtyaC2inNVq7ub1J6eOQejccCH6wmCg2BBZ1qfTOq4871ynrCxXMnf742 edG9+7fXaUuwhxihgFLKdCBBBdatAXx0irFDzzZZLtVkgD4hN6qK1WIGGUSN887O AEzEuELUKiHQN/pViCwjs9y3310ZAwY8BWQaMbH6DugCPKaPsihKPdzyKob4ih/f 24R3WWXUR7iCRvY8HAmG9ZDvac82QaC0XEbzffx2hhggeDDt6XJ7w9sucDQMuABH xyi90Rba8ilc1sdxzE2R0PVAzTv4Dnm/XmNDN6ZOg0AcERHTwCIGs6E8xWpjiMtS RM4JIwNr8+pHFXcitay/SBoFuir61h52BLDgt1DV5NPI6Ve9NxK/Ul5dKsb9X7g7 vDcbno5XmwQhWZSfDotS5RoJ0O2rUFh2FfWJ96h+hOvOqXv3zvFV8HN0y8EybtVJ e4e3pKTH =j4wv -----END PGP SIGNATURE-----
--- End Message ---
