Debian Bug report logs -
#860489
apache-log4j2: CVE-2017-5645: socket receiver deserialization vulnerability
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#860489; Package src:apache-log4j2.
(Mon, 17 Apr 2017 19:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 17 Apr 2017 19:24:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: apache-log4j2
Version: 2.0~beta9-1
Severity: grave
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/LOG4J2-1863
Hi,
the following vulnerability was published for apache-log4j2.
CVE-2017-5645[0]:
Apache Log4j socket receiver deserialization vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
This one might warrant a DSA, but please check back with
team@security.debian.org .
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
[1] https://issues.apache.org/jira/browse/LOG4J2-1863
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#860489; Package src:apache-log4j2.
(Tue, 18 Apr 2017 12:48:03 GMT) (full text, mbox, link).
Message #8 received at 860489@bugs.debian.org (full text, mbox, reply):
tag 860489 + pending
thanks
Some bugs in the apache-log4j2 package are closed in revision
799b96337bcf909193aa76c6090ba511c05b64f6 in branch 'master' by
Emmanuel Bourg
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/apache-log4j2.git/commit/?id=799b963
Commit message:
Fixed CVE-2017-5645: Remote code execution with the TCP/UDP socket server (Closes: #860489)
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Tue, 18 Apr 2017 12:48:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#860489.
(Tue, 18 Apr 2017 12:48:07 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Tue, 18 Apr 2017 13:06:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 18 Apr 2017 13:06:07 GMT) (full text, mbox, link).
Message #18 received at 860489-close@bugs.debian.org (full text, mbox, reply):
Source: apache-log4j2
Source-Version: 2.7-2
We believe that the bug you reported is fixed in the latest version of
apache-log4j2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860489@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated apache-log4j2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 18 Apr 2017 14:30:00 +0200
Source: apache-log4j2
Binary: liblog4j2-java liblog4j2-java-doc
Architecture: source
Version: 2.7-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
liblog4j2-java - Apache Log4j - Logging Framework for Java
liblog4j2-java-doc - Documentation for Apache Log4j 2
Closes: 860489
Changes:
apache-log4j2 (2.7-2) unstable; urgency=medium
.
* Team upload.
* Fixed CVE-2017-5645: When using the TCP socket server or UDP socket server
to receive serialized log events from another application, a specially
crafted binary payload can be sent that, when deserialized, can execute
arbitrary code (Closes: #860489)
Checksums-Sha1:
876caec08e0dd244c2f659a5929b77003362360e 2886 apache-log4j2_2.7-2.dsc
e0d5b663d2238cc59c0d7a9e1efaea4aaa4825b9 8440 apache-log4j2_2.7-2.debian.tar.xz
9c1f873b9743e386c1829f3f62d062a943fdac2e 14653 apache-log4j2_2.7-2_source.buildinfo
Checksums-Sha256:
dfa96b6d21c6c4d698640d2ba5e918306da215cdabf0dbc1b3c65686379e0d26 2886 apache-log4j2_2.7-2.dsc
68fef80f76648b9835ce7990a9238d86cff99af722e2d28a5528ddced3f07c71 8440 apache-log4j2_2.7-2.debian.tar.xz
33ce7f2156f8ec4ee5c9aebf0b54296343f772cd2aad6937eb550e47351e9b60 14653 apache-log4j2_2.7-2_source.buildinfo
Files:
ee59e794d0c7205f735742c58a83dd76 2886 java optional apache-log4j2_2.7-2.dsc
c405df976dea2058f26495918141df8b 8440 java optional apache-log4j2_2.7-2.debian.tar.xz
978daedb3c643314ebdb5030a63f5d5c 14653 java optional apache-log4j2_2.7-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlj2Cp8SHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsOzIP+wSzPlVMZO9SrnlPh9rlRL/p3DLYlAXB
Fh0LbqaN4IFur1LyzIUGfWFLXNdHQW/CSwfGql1hUC07MohRjAdznUQe0BQzAb2W
8KYUvabxnpkRoLaFJ+4Y1nC8X/fXTqp+2285oFWwmshp5nbQFynIgB+i6MxWab4m
dPuGD1bEtNqoA9XcVl3mKyHwHwNk+T7mpmTjRNyZ2HSCAu3s4fRHn/C8C8vs6k0c
iQ94coHJ18fMF1O1bKP9ShQt2W+eesmUI7AnaOVb1CE+UpziIGPRYz9WxAWLpSg+
zDY2eh0FEocPHZfuJPkngWGfjS6fjNsYx/HgEWJw2kZc8GQdk257VR++0cbPRzbc
rQJKizXC34E7lWu8U9jKVCG8SBOqbcITMUlgNut2a/qdAgELl4O/Nv5vTE67mF81
2uJ7FSRPShDQxlo9PRz+oJ7pRRKFJAULnYZBrAjsyqtWcrDI+/MpEhit21GX3Hs3
OiZS2wdHXyfxmzjk/AiDdkc669HHu0uWcGTVrZYY81hxBP1Jpn9cbXhCQ1CDW07b
TODQE1RF81fJtauNpp2yE3wqG9TlywY4SK6255PVIZDeUM+EbuTXV3YOgL3P1Lo7
sFCs0+meoqQXyPGjfiXo15qdj9bSF0QEiRogidtqYhVDIdNZ6GimVyVa1D6r3Smp
wHsiqOUV8l7u
=BcgQ
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#860489; Package src:apache-log4j2.
(Tue, 18 Apr 2017 15:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Bourg <ebourg@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 18 Apr 2017 15:45:03 GMT) (full text, mbox, link).
Message #23 received at 860489@bugs.debian.org (full text, mbox, reply):
Le 17/04/2017 à 21:20, Salvatore Bonaccorso a écrit :
> the following vulnerability was published for apache-log4j2.
>
> CVE-2017-5645[0]:
> Apache Log4j socket receiver deserialization vulnerability
Hi Salvatore,
The vulnerability has been fixed in unstable. liblog4j2-java isn't used
in jessie, this CVE can be ignored there.
Emmanuel Bourg
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:54:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:28:50 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon