Package: liblog4j1.2-java Version: 1.2.17-10 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hey. A number of holes was found in the 1.2 branch of log4j. The following is apparently critical (code injection): https://www.cvedetails.com/cve/CVE-2022-23307/ https://www.cvedetails.com/cve/CVE-2022-23305/ https://www.cvedetails.com/cve/CVE-2022-23302/ AFAIU there is no support anymore form these from upstream, and seems: https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh there are no plans to fix it. EGI recommends: "For services where chainsaw is installed but not used apply the mitigation zip -q -d /usr/share/cassandra/lib/log4j*.jar org/apache/log4j/chainsaw/*" Not sure if that could be done for the Debian package in a new version? Is Debian going to do anything about these? Thanks, Chris. -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.0-3-amd64 (SMP w/4 CPU threads) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
