Your message dated Tue, 18 Apr 2017 13:03:51 +0000 with message-id <e1d0snp-000amt...@fasolo.debian.org> and subject line Bug#860489: fixed in apache-log4j2 2.7-2 has caused the Debian Bug report #860489, regarding apache-log4j2: CVE-2017-5645: socket receiver deserialization vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 860489: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860489 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: apache-log4j2 Version: 2.0~beta9-1 Severity: grave Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/LOG4J2-1863 Hi, the following vulnerability was published for apache-log4j2. CVE-2017-5645[0]: Apache Log4j socket receiver deserialization vulnerability If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. This one might warrant a DSA, but please check back with t...@security.debian.org . For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-5645 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645 [1] https://issues.apache.org/jira/browse/LOG4J2-1863 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: apache-log4j2 Source-Version: 2.7-2 We believe that the bug you reported is fixed in the latest version of apache-log4j2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 860...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated apache-log4j2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 18 Apr 2017 14:30:00 +0200 Source: apache-log4j2 Binary: liblog4j2-java liblog4j2-java-doc Architecture: source Version: 2.7-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: liblog4j2-java - Apache Log4j - Logging Framework for Java liblog4j2-java-doc - Documentation for Apache Log4j 2 Closes: 860489 Changes: apache-log4j2 (2.7-2) unstable; urgency=medium . * Team upload. * Fixed CVE-2017-5645: When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code (Closes: #860489) Checksums-Sha1: 876caec08e0dd244c2f659a5929b77003362360e 2886 apache-log4j2_2.7-2.dsc e0d5b663d2238cc59c0d7a9e1efaea4aaa4825b9 8440 apache-log4j2_2.7-2.debian.tar.xz 9c1f873b9743e386c1829f3f62d062a943fdac2e 14653 apache-log4j2_2.7-2_source.buildinfo Checksums-Sha256: dfa96b6d21c6c4d698640d2ba5e918306da215cdabf0dbc1b3c65686379e0d26 2886 apache-log4j2_2.7-2.dsc 68fef80f76648b9835ce7990a9238d86cff99af722e2d28a5528ddced3f07c71 8440 apache-log4j2_2.7-2.debian.tar.xz 33ce7f2156f8ec4ee5c9aebf0b54296343f772cd2aad6937eb550e47351e9b60 14653 apache-log4j2_2.7-2_source.buildinfo Files: ee59e794d0c7205f735742c58a83dd76 2886 java optional apache-log4j2_2.7-2.dsc c405df976dea2058f26495918141df8b 8440 java optional apache-log4j2_2.7-2.debian.tar.xz 978daedb3c643314ebdb5030a63f5d5c 14653 java optional apache-log4j2_2.7-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlj2Cp8SHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsOzIP+wSzPlVMZO9SrnlPh9rlRL/p3DLYlAXB Fh0LbqaN4IFur1LyzIUGfWFLXNdHQW/CSwfGql1hUC07MohRjAdznUQe0BQzAb2W 8KYUvabxnpkRoLaFJ+4Y1nC8X/fXTqp+2285oFWwmshp5nbQFynIgB+i6MxWab4m dPuGD1bEtNqoA9XcVl3mKyHwHwNk+T7mpmTjRNyZ2HSCAu3s4fRHn/C8C8vs6k0c iQ94coHJ18fMF1O1bKP9ShQt2W+eesmUI7AnaOVb1CE+UpziIGPRYz9WxAWLpSg+ zDY2eh0FEocPHZfuJPkngWGfjS6fjNsYx/HgEWJw2kZc8GQdk257VR++0cbPRzbc rQJKizXC34E7lWu8U9jKVCG8SBOqbcITMUlgNut2a/qdAgELl4O/Nv5vTE67mF81 2uJ7FSRPShDQxlo9PRz+oJ7pRRKFJAULnYZBrAjsyqtWcrDI+/MpEhit21GX3Hs3 OiZS2wdHXyfxmzjk/AiDdkc669HHu0uWcGTVrZYY81hxBP1Jpn9cbXhCQ1CDW07b TODQE1RF81fJtauNpp2yE3wqG9TlywY4SK6255PVIZDeUM+EbuTXV3YOgL3P1Lo7 sFCs0+meoqQXyPGjfiXo15qdj9bSF0QEiRogidtqYhVDIdNZ6GimVyVa1D6r3Smp wHsiqOUV8l7u =BcgQ -----END PGP SIGNATURE-----
--- End Message ---
