Hi Chris, (sorry forgot to CC debian-lts)
I think that was a mistake. We definitely should fix apache-log4j1.2 in all distributions because a lot of packages depend on it. However the vulnerability surfaces only when you use the (optional) option to log to a remote server. I am quite sure that most of our packages just need it as a build-dependency and to log to a file or stdout. The patch for apache-log4j2 is quite different and can't be applied as is. I still think I can backport it, so I wanted to give it a try. I also recommend to let me handle triaging work because I am officially frontdesk at the moment. You can always grab a package and work on it but let frontdesk handle general triaging work or at least CC him/her or move the discussion to debian-lts for more public awareness. Regards, Markus
signature.asc
Description: OpenPGP digital signature