1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 5024-1] apache-log4j2 security update

    From Markus Koschany@21:1/5 to All on Sat Dec 18 22:00:02 2021
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-5024-1 security@debian.org https://www.debian.org/security/ Markus Koschany December 18, 2021 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : apache-log4j2
    CVE ID : CVE-2021-45105
    Debian Bug : 1001891

    It was found that Apache Log4j2, a Logging Framework for Java, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a denial of service.

    For the oldstable distribution (buster), this problem has been fixed
    in version 2.17.0-1~deb10u1.

    For the stable distribution (bullseye), this problem has been fixed in
    version 2.17.0-1~deb11u1.

    We recommend that you upgrade your apache-log4j2 packages.

    For the detailed security status of apache-log4j2 please refer to
    its security tracker page at: https://security-tracker.debian.org/tracker/apache-log4j2

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmG+Ro1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQVuBAArOperYABsLeaPcs3DgNxHcDDUNGCcvo5fsBtkh+MDvHMspqOb8VqLShx BtzPJGE0UTdBrfAqWeuMCbV1LdBYfwRUlrUyZiQXBiEx5BI5vDB4vaDUtAomwC6o vnbJwDlvlpoSwbURcls/Z0Hs15gwHX2D/lSa+j+NSxaNCkEOqvjr8dbpnHMSIbwz f0hSWQm4jydadUHP/zXSwN+LeZrJs+uP1tIdajtZjr6VoPkV48EDxCctaVttn27q 9DrGM9RjKGyCCKB/WrWToRbv/Mke20AJ4SOWoDdy1u/m2wcgW3pv1cap7J3RRjYO K5V5qacdJDo9FWoRkb1ftXlanyVe5DyI+j/9un+uZLSlOkeTha+hP+Tj2P/sx/Z4 xbpmPRGJ+O/BuxoPXUJNSTkh7vLu0CJkCfzi3Gj24c22jkBV3POJ7iZsFvNbJHAi 3i6VBc7e6tcqdiIhZqj/+odu2rCqeYqMbvhLL/slnQQVU4YMn3F1FtPWEpfAmQzP YCg2vLei5rTt3dYjA5aBluJPEPXO5rA5nZa3xq5hbzAJMl/m1yU9K6v73mCk9gnK yFHoaD+Ls97tPCMiO/56kIQecLv5s7GuuwLQlC8rm9TgXzl/m6rqst7a93IcsnV9 P+f2RZsciOyXo1N4zhakNkZ4dkmRZCfm9xCfeqAKUQgqVPXhBtE=
    =Wkr6
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)