On Sun, Jan 30, 2022 at 10:12:53PM +0100, Markus Koschany wrote: > On Fri, 28 Jan 2022 17:04:08 +0100 Christoph Anton Mitterer > <cales...@scientia.org> wrote: > > Package: liblog4j1.2-java > > Version: 1.2.17-10 > > > > A number of holes was found in the 1.2 branch of log4j. > > > > The following is apparently critical (code injection): > > https://www.cvedetails.com/cve/CVE-2022-23307/ > > > > https://www.cvedetails.com/cve/CVE-2022-23305/ > > https://www.cvedetails.com/cve/CVE-2022-23302/ > > > I intend to address these issues shortly. I believe we can just remove the > affected classes because they are not used by our dependencies but I need to > double-check that. Hi Markus,
You might take some inspiration and/or patches from the reload4j project. https://reload4j.qos.ch/ I have been using it as drop-in replacement for the log4j 1.2.x jar for applications at ${dayjob} without any problem. Once you decide how you would like to address the CVE, we can discuss the possibility of packaging reload4j for bookworm as a replacement for apache-log4j1.2. Cheers, tony
signature.asc
Description: PGP signature