[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DSA-5020-1 for apache-log4j2

Sat Dec 11 19:09:58 GMT 2021


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
11a105cb by Markus Koschany at 2021-12-11T20:06:16+01:00
Reserve DSA-5020-1 for apache-log4j2

- - - - -
2444300b by Markus Koschany at 2021-12-11T20:09:30+01:00
CVE-2020-9488,apache-log4j2: Remove no-dsa tag

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -122290,7 +122290,7 @@ CVE-2020-9489 (A carefully crafted or corrupt file may trigger a System.exit in
 	NOTE: https://www.openwall.com/lists/oss-security/2020/04/24/1
 CVE-2020-9488 (Improper validation of certificate with host mismatch in Apache Log4j  ...)
 	- apache-log4j2 2.13.3-1 (bug #959450)
-	[buster] - apache-log4j2 <no-dsa> (Minor issue)
+	[buster] - apache-log4j2 2.15.0-1~deb10u1
 	[stretch] - apache-log4j2 <no-dsa> (Minor issue; set mail.smtp.ssl.checkserveridentity to true to enable hostname verification)
 	[jessie] - apache-log4j2 <no-dsa> (Minor issue; set mail.smtp.ssl.checkserveridentity to true to enable hostname verification)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/04/25/1


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,7 @@
+[11 Dec 2021] DSA-5020-1 apache-log4j2 - security update
+	{CVE-2021-44228}
+	[buster] - apache-log4j2 2.15.0-1~deb10u1
+	[bullseye] - apache-log4j2 2.15.0-1~deb11u1
 [10 Dec 2021] DSA-5019-1 wireshark - security update
 	{CVE-2021-22207 CVE-2021-22222 CVE-2021-22235 CVE-2021-39920 CVE-2021-39921 CVE-2021-39922 CVE-2021-39923 CVE-2021-39924 CVE-2021-39925 CVE-2021-39926 CVE-2021-39928 CVE-2021-39929}
 	[bullseye] - wireshark 3.4.10-0+deb11u1


=====================================
data/dsa-needed.txt
=====================================
@@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
---
-apache-log4j2 (Markus Koschany)
 --
 asterisk/oldstable
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aeb82e2e0e8130bfc4ffffe6c8cc1add42b26b47...2444300b8424f5e7202edf440613a3c1bff5d0a3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aeb82e2e0e8130bfc4ffffe6c8cc1add42b26b47...2444300b8424f5e7202edf440613a3c1bff5d0a3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211211/c71bf603/attachment-0001.htm>
