Package: liblog4j1.2-java
Version: 1.2.17-10
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

Hey.

A number of holes was found in the 1.2 branch of log4j.

The following is apparently critical (code injection):
https://www.cvedetails.com/cve/CVE-2022-23307/

https://www.cvedetails.com/cve/CVE-2022-23305/
https://www.cvedetails.com/cve/CVE-2022-23302/


AFAIU there is no support anymore form these from upstream, and seems:
https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh
there are no plans to fix it.

EGI recommends: "For services where chainsaw is installed but not used apply 
the mitigation
zip -q -d /usr/share/cassandra/lib/log4j*.jar  org/apache/log4j/chainsaw/*"

Not sure if that could be done for the Debian package in a new version?


Is Debian going to do anything about these?


Thanks,
Chris.



-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.0-3-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply via email to