------------------------------------------------------------------------- Debian LTS Advisory DLA-2852-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 26, 2021 https://wiki.debian.org/LTS -------------------------------------------------------------------------
Package : apache-log4j2 Version : 2.12.3-0+deb9u1 CVE ID : CVE-2020-9488 CVE-2021-45105 Debian Bug : 959450 1001891 Several security vulnerabilities were found in Apache Log4j2, a Logging Framework for Java, which could lead to a denial of service or information disclosure. CVE-2020-9488 Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. CVE-2021-45105 Apache Log4j2 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. For Debian 9 stretch, these problems have been fixed in version 2.12.3-0+deb9u1. We recommend that you upgrade your apache-log4j2 packages. For the detailed security status of apache-log4j2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache-log4j2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
signature.asc
Description: This is a digitally signed message part