Bug#1004482: liblog4j1.2-java: CVE-2022-23307 CVE-2022-23305 CVE-2022-23302
tony mancill
tmancill at debian.org
Sun Jan 30 23:20:22 GMT 2022
On Sun, Jan 30, 2022 at 10:12:53PM +0100, Markus Koschany wrote:
> On Fri, 28 Jan 2022 17:04:08 +0100 Christoph Anton Mitterer
> <calestyo at scientia.org> wrote:
> > Package: liblog4j1.2-java
> > Version: 1.2.17-10
> >
> > A number of holes was found in the 1.2 branch of log4j.
> >
> > The following is apparently critical (code injection):
> > https://www.cvedetails.com/cve/CVE-2022-23307/
> >
> > https://www.cvedetails.com/cve/CVE-2022-23305/
> > https://www.cvedetails.com/cve/CVE-2022-23302/
>
>
> I intend to address these issues shortly. I believe we can just remove the
> affected classes because they are not used by our dependencies but I need to
> double-check that.
Hi Markus,
You might take some inspiration and/or patches from the reload4j
project.
https://reload4j.qos.ch/
I have been using it as drop-in replacement for the log4j 1.2.x jar for
applications at ${dayjob} without any problem. Once you decide how you
would like to address the CVE, we can discuss the possibility of
packaging reload4j for bookworm as a replacement for apache-log4j1.2.
Cheers,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20220130/25301aae/attachment.sig>
More information about the pkg-java-maintainers
mailing list