Debian Bug report logs -
#1004482
liblog4j1.2-java: CVE-2022-23307 CVE-2022-23305 CVE-2022-23302
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#1004482
; Package liblog4j1.2-java
.
(Fri, 28 Jan 2022 16:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Anton Mitterer <calestyo@scientia.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 28 Jan 2022 16:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: liblog4j1.2-java
Version: 1.2.17-10
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Hey.
A number of holes was found in the 1.2 branch of log4j.
The following is apparently critical (code injection):
https://www.cvedetails.com/cve/CVE-2022-23307/
https://www.cvedetails.com/cve/CVE-2022-23305/
https://www.cvedetails.com/cve/CVE-2022-23302/
AFAIU there is no support anymore form these from upstream, and seems:
https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh
there are no plans to fix it.
EGI recommends: "For services where chainsaw is installed but not used apply the mitigation
zip -q -d /usr/share/cassandra/lib/log4j*.jar org/apache/log4j/chainsaw/*"
Not sure if that could be done for the Debian package in a new version?
Is Debian going to do anything about these?
Thanks,
Chris.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.0-3-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 29 12:08:01 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.