Your message dated Fri, 24 Dec 2021 13:52:50 +0000
with message-id <e1n0l06-00038d...@fasolo.debian.org>
and subject line Bug#1001891: fixed in apache-log4j2 2.17.0-1~deb11u1
has caused the Debian Bug report #1001891,
regarding apache-log4j2: CVE-2021-45105: Certain strings can cause infinite
recursion
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1001891: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001891
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: apache-log4j2
Version: 2.16.0-1
Severity: grave
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3230
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 2.16.0-1~deb11u1
Control: found -1 2.16.0-1~deb10u1
Hi,
The following vulnerability was published for apache-log4j2, again
less stronger impact.
CVE-2021-45105[0]:
| Certain strings can cause infinite recursion
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-45105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
[1] https://issues.apache.org/jira/browse/LOG4J2-3230
[2] https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: apache-log4j2
Source-Version: 2.17.0-1~deb11u1
Done: Markus Koschany <a...@debian.org>
We believe that the bug you reported is fixed in the latest version of
apache-log4j2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1001...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated apache-log4j2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Dec 2021 18:56:50 +0100
Source: apache-log4j2
Architecture: source
Version: 2.17.0-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Closes: 1001891
Changes:
apache-log4j2 (2.17.0-1~deb11u1) bullseye-security; urgency=high
.
* Team upload.
* Backport 2.17.0-1 to Bullseye and fix CVE-2021-45105. (Closes: #1001891)
Checksums-Sha1:
026d1a7469d4d5fb37bc9031d991b44f52522b3a 3051
apache-log4j2_2.17.0-1~deb11u1.dsc
24838ff3852d4043c5337b090c501698360eef85 1287192
apache-log4j2_2.17.0.orig.tar.xz
876428e96c9bfecac9b76dfee1f57f4bc5e544f8 7564
apache-log4j2_2.17.0-1~deb11u1.debian.tar.xz
348d456fe818f6beac4bf1963b25a6fa762ab8c4 9100
apache-log4j2_2.17.0-1~deb11u1_source.buildinfo
Checksums-Sha256:
4afa0d50e693eb0c60ede6052528a798a37b7209526c3856ab4c1837f5027efb 3051
apache-log4j2_2.17.0-1~deb11u1.dsc
7c9a8976f9672bf7cc31ded21b2dddc5f6a3cee4621e53dfe5aab65ef82eae24 1287192
apache-log4j2_2.17.0.orig.tar.xz
8d0b0af89cac538a4c85bdc39711fdef5798fcead2e6ec42ed1e176836178c41 7564
apache-log4j2_2.17.0-1~deb11u1.debian.tar.xz
4e1a5e06ecd248b14d9b6dc84102e26cef56c91fb06f325f507e04f21806ce2e 9100
apache-log4j2_2.17.0-1~deb11u1_source.buildinfo
Files:
486b82d4d84e40f250e57873acc414b2 3051 java optional
apache-log4j2_2.17.0-1~deb11u1.dsc
61eb8d0690bb3f95ec55ec6eeb0c27ad 1287192 java optional
apache-log4j2_2.17.0.orig.tar.xz
58e0d1bb062eaec512da71103ce12061 7564 java optional
apache-log4j2_2.17.0-1~deb11u1.debian.tar.xz
adacc9b395dad8aca487355f08807acd 9100 java optional
apache-log4j2_2.17.0-1~deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG+IrlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkDQ0QALnD5sMYONW2/oicV66baO1ifPbzPFa/CkB+
mV6ma55byP4n5w9aapK4ewtcyy8t8oyLLw351LaK+bAn/bPld9WQUrKjgNG6zp08
ecVP3PcyjKZxVoxJ295XEIPS2t5UOiJSenwdDrPuwsyvixBFeT6qKfdKxnnFwAh4
hsACHSbJpZ50LUkjBPtx5jlt+ZdCC4uuXPbsgmLe1hLKd6+vjqwP3/1FcuorQNOl
crpp8AvzZ2/u/5F4qCUOhrjoHqKmSd4+M1CkG3aD28xgY4hXqGFebgLnG8XoQZQN
u39Df1CRVOBRJ0c85yN+vstHU885ZDPF3gvHqd8hRCkR0H6v4V/56UfIXOFPIVqS
cRiigzw/LFJ6E+z18yJkJhKmQ/rhKbvRJ6wdVzOgjs1xTS6BtVElMQ5/RcDGQfyT
U2C3WinWSzkzR8ihCfKThcSvcXR7AnQV+L+K7uYhATxEAIW3NCrzQtdbms/9LfHi
LF7nS8c+CRV1H1RMHgpvT/PCTcJ2m5R5wI2ohLdfEmbEeLTHAVWJEFSNwBT0q+uI
cdF3KsSghQ8JLxWZ+duC9RDBx1486jI79tboAhIM40+mJI8WFXN0abtsvA3uV9DR
eLvlw10sSPJ0W6HIuQlk26XPS1Pc4HAuzh+mpHdnWFdet4hBvtZFvoVXPjRWpPDL
DFl+Itqb
=E/un
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
