Control: owner -1 ! Am Dienstag, dem 14.12.2021 um 21:37 +0100 schrieb Salvatore Bonaccorso: > Source: apache-log4j2 > Version: 2.15.0-1 > Severity: grave > Tags: security upstream > Justification: user security hole > Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3221 > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 2.15.0-1~deb11u1 > Control: found -1 2.15.0-1~deb10u1 > > Hi, > > The following vulnerability was published for apache-log4j2. Strictly > speaking it's less severe as CVE-2021-44228 as it is an incomplete fix > for the former CVE in certain non-default configurations.
Hi Salvatore, I believe Stretch is not vulnerable to CVE-2021-45046 because I have removed the JndiLookup class when I fixed CVE-2021-44228. Shall I release a new DSA for CVE-2021-45046 or a regression update for CVE- 2021-44228 because of the incomplete upstream fix? Regards, Markus
signature.asc
Description: This is a digitally signed message part