[Git][security-tracker-team/security-tracker][master] Mark CVE in log4j1.2 as fixed in unstable

Markus Koschany (@apo) apo at debian.org
Mon Jan 31 11:03:52 GMT 2022 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c7162ed0 by Markus Koschany at 2022-01-31T12:02:06+01:00
Mark CVE in log4j1.2 as fixed in unstable

Remove no-dsa tag for CVE-2021-4104/Stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3275,12 +3275,12 @@ CVE-2022-0266 (Authorization Bypass Through User-Controlled Key in Packagist rem
 CVE-2022-0265
 	RESERVED
 CVE-2022-23307 (CVE-2020-9493 identified a deserialization issue that was present in A ...)
-	- apache-log4j1.2 <unfixed> (bug #1004482)
+	- apache-log4j1.2 1.2.17-11 (bug #1004482)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/5
 CVE-2022-23306
 	RESERVED
 CVE-2022-23305 (By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as ...)
-	- apache-log4j1.2 <unfixed> (bug #1004482)
+	- apache-log4j1.2 1.2.17-11 (bug #1004482)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/4
 CVE-2022-0263 (Unrestricted Upload of File with Dangerous Type in Packagist pimcore/p ...)
 	NOT-FOR-US: pimcore
@@ -3343,7 +3343,7 @@ CVE-2022-0244 (An issue has been discovered in GitLab CE/EE affecting all versio
 CVE-2022-0243 (Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.C ...)
 	NOT-FOR-US: Orchard CMS
 CVE-2022-23302 (JMSSink in all versions of Log4j 1.x is vulnerable to deserialization  ...)
-	- apache-log4j1.2 <unfixed> (bug #1004482)
+	- apache-log4j1.2 1.2.17-11 (bug #1004482)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/3
 CVE-2022-22142
 	RESERVED
@@ -11020,10 +11020,9 @@ CVE-2018-25021 (The TCP Server module in toxcore before 0.2.8 doesn't free the T
 CVE-2021-44833 (The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the c ...)
 	NOT-FOR-US: CLI for Amazon AWS OpenSearch
 CVE-2021-4104 (JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted ...)
-	- apache-log4j1.2 <unfixed>
+	- apache-log4j1.2 1.2.17-11
 	[bullseye] - apache-log4j1.2 <no-dsa> (Minor issue; JMSAppender not configured to be used by default)
 	[buster] - apache-log4j1.2 <no-dsa> (Minor issue; JMSAppender not configured to be used by default)
-	[stretch] - apache-log4j1.2 <no-dsa> (Minor issue; JMSAppender not configured to be used by default)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/12/13/1
 	NOTE: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
 	NOTE: Issue for Log4j 1.2 when specifically configured to use JMSAppender (not the default)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7162ed0a5b2f935522447aacdf599b0aed1d258

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7162ed0a5b2f935522447aacdf599b0aed1d258
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220131/a3a11053/attachment.htm>

More information about the debian-security-tracker-commits mailing list