[Git][java-team/apache-log4j2][buster] Import Debian changes 2.17.1-1~deb10u2
Markus Koschany (@apo)
gitlab at salsa.debian.org
Mon Feb 2 12:32:59 GMT 2026
Markus Koschany pushed to branch buster at Debian Java Maintainers / apache-log4j2
Commits:
8c368e2d by Markus Koschany at 2026-02-02T13:32:50+01:00
Import Debian changes 2.17.1-1~deb10u2
apache-log4j2 (2.17.1-1~deb10u2) buster-security; urgency=medium
.
* Team upload.
* Fix CVE-2025-68161:
The Socket Appender in Apache Log4j Core does not perform TLS hostname
verification of the peer certificate, even when the verifyHostName
configuration attribute or the log4j2.sslVerifyHostName system property is
set to true. This issue may allow a man-in-the-middle attacker to intercept
or redirect log traffic under specific and hard to exploit conditions.
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2025-68161.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+apache-log4j2 (2.17.1-1~deb10u2) buster-security; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2025-68161:
+ The Socket Appender in Apache Log4j Core does not perform TLS hostname
+ verification of the peer certificate, even when the verifyHostName
+ configuration attribute or the log4j2.sslVerifyHostName system property is
+ set to true. This issue may allow a man-in-the-middle attacker to intercept
+ or redirect log traffic under specific and hard to exploit conditions.
+
+ -- Markus Koschany <apo at debian.org> Tue, 27 Jan 2026 09:48:36 +0100
+
apache-log4j2 (2.17.1-1~deb10u1) buster; urgency=medium
* Team upload.
=====================================
debian/patches/CVE-2025-68161.patch
=====================================
@@ -0,0 +1,165 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 30 Dec 2026 21:32:04 +0100
+Subject: CVE-2025-68161
+
+Bug-Debian: https://bugs.debian.org/1123744
+Origin: https://github.com/apache/logging-log4j2/pull/4002
+---
+ .../log4j/core/net/AbstractSocketManager.java | 9 ++
+ .../logging/log4j/core/net/SslSocketManager.java | 96 +++++++++++++++++++---
+ 2 files changed, 92 insertions(+), 13 deletions(-)
+
+diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/AbstractSocketManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/AbstractSocketManager.java
+index 76d3e46..a3d2999 100644
+--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/AbstractSocketManager.java
++++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/AbstractSocketManager.java
+@@ -79,4 +79,13 @@ public abstract class AbstractSocketManager extends OutputStreamManager {
+ result.put("address", inetAddress.getHostAddress());
+ return result;
+ }
++
++ /**
++ * Gets the host.
++ *
++ * @return the host.
++ */
++ public String getHost() {
++ return host;
++ }
+ }
+diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/SslSocketManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/SslSocketManager.java
+index e9e018d..42046b1 100644
+--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/SslSocketManager.java
++++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/SslSocketManager.java
+@@ -23,7 +23,10 @@ import java.net.InetAddress;
+ import java.net.InetSocketAddress;
+ import java.net.Socket;
+ import java.util.List;
++import java.util.Collections;
+
++import javax.net.ssl.SNIHostName;
++import javax.net.ssl.SSLParameters;
+ import javax.net.ssl.SSLSocket;
+ import javax.net.ssl.SSLSocketFactory;
+
+@@ -136,10 +139,7 @@ public class SslSocketManager extends TcpSocketManager {
+
+ @Override
+ protected Socket createSocket(final InetSocketAddress socketAddress) throws IOException {
+- final SSLSocketFactory socketFactory = createSslSocketFactory(sslConfig);
+- final Socket newSocket = socketFactory.createSocket();
+- newSocket.connect(socketAddress, getConnectTimeoutMillis());
+- return newSocket;
++ return createSocket(getHost(), socketAddress, getConnectTimeoutMillis(), sslConfig, getSocketOptions());
+ }
+
+ private static SSLSocketFactory createSslSocketFactory(final SslConfiguration sslConf) {
+@@ -171,29 +171,99 @@ public class SslSocketManager extends TcpSocketManager {
+ IOException ioe = null;
+ for (InetSocketAddress socketAddress : socketAddresses) {
+ try {
+- return SslSocketManager.createSocket(socketAddress, data.connectTimeoutMillis,
+- data.sslConfiguration, data.socketOptions);
++ return SslSocketManager.createSocket(
++ data.host,
++ socketAddress,
++ data.connectTimeoutMillis,
++ data.sslConfiguration,
++ data.socketOptions);
+ } catch (IOException ex) {
+- ioe = ex;
++ final String message = String.format(
++ "failed create a socket to `%s:%s` that is resolved to address `%s`",
++ data.host, data.port, socketAddress);
++ final IOException newEx = new IOException(message, ex);
++ if (ioe == null) {
++ ioe = newEx;
++ } else {
++ ioe.addSuppressed(newEx);
++ }
+ }
+ }
+ throw new IOException(errorMessage(data, socketAddresses) , ioe);
+ }
+ }
+
+- static Socket createSocket(final InetSocketAddress socketAddress, final int connectTimeoutMillis,
+- final SslConfiguration sslConfiguration, final SocketOptions socketOptions) throws IOException {
++ private static Socket createSocket(
++ final String hostName,
++ final InetSocketAddress socketAddress,
++ final int connectTimeoutMillis,
++ final SslConfiguration sslConfiguration,
++ final SocketOptions socketOptions)
++ throws IOException {
++
++ // Create the `SSLSocket`
+ final SSLSocketFactory socketFactory = createSslSocketFactory(sslConfiguration);
+ final SSLSocket socket = (SSLSocket) socketFactory.createSocket();
++
++ // Apply socket options before `connect()`
+ if (socketOptions != null) {
+- // Not sure which options must be applied before or after the connect() call.
+ socketOptions.apply(socket);
+ }
++
++ // Connect the socket
+ socket.connect(socketAddress, connectTimeoutMillis);
+- if (socketOptions != null) {
+- // Not sure which options must be applied before or after the connect() call.
+- socketOptions.apply(socket);
++
++ // Verify the host name
++ if (sslConfiguration.isVerifyHostName()) {
++ // Allowed endpoint identification algorithms: HTTPS and LDAPS.
++ // https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#endpoint-identification-algorithms
++ final SSLParameters sslParameters = socket.getSSLParameters();
++ sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
++
++ final SNIHostName serverName = createSniHostName(hostName);
++ if (serverName != null) {
++ sslParameters.setServerNames(Collections.singletonList(serverName));
++ }
++ socket.setSSLParameters(sslParameters);
+ }
++
+ return socket;
+ }
++
++ /**
++ * {@return an {@link SNIHostName} instance if the provided host name is not an IP literal (RFC 6066), and constitutes a valid host name (RFC 1035); null otherwise}
++ *
++ * @param hostName a host name
++ *
++ * @see <a href="https://www.rfc-editor.org/rfc/rfc6066.html#section-3">Literal IPv4 and IPv6 addresses are not permitted in "HostName" (RFC 6066)</a>
++ * @see <a href="https://www.rfc-editor.org/rfc/rfc1035.html">Domain Names - Implementation and Specification (RFC 1035)</a>
++ */
++ static SNIHostName createSniHostName(String hostName) {
++ // The actual check should be
++ //
++ // !isIPv4(h) && !isIPv6(h) && isValidHostName(h)
++ //
++ // Though we translate this into
++ //
++ // !h.matches("\d+[.]\d+[.]\d+[.]\d+") && new SNIServerName(h)
++ //
++ // This simplification is possible because
++ //
++ // - The `\d+[.]\d+[.]\d+[.]\d+` is sufficient to eliminate IPv4 addresses.
++ // Any sequence of four numeric labels (e.g., `1234.2345.3456.4567`) is not a valid host name.
++ // Hence, false positives are not a problem, they would be eliminated by `isValidHostName()` anyway.
++ //
++ // - `SNIServerName::new` throws an exception on invalid host names.
++ // This check is performed using `IDN.toASCII(hostName, IDN.USE_STD3_ASCII_RULES)`.
++ // IPv6 literals don't qualify as a valid host name by `IDN::toASCII`.
++ // This assumption on `IDN` is unlikely to change in the foreseeable future.
++ if (!hostName.matches("\\d+[.]\\d+[.]\\d+[.]\\d+")) {
++ try {
++ return new SNIHostName(hostName);
++ } catch (IllegalArgumentException ignored) {
++ // Do nothing
++ }
++ }
++ return null;
++ }
+ }
=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
01-disable-kafka-appender.patch
03-mongodb-compatibility.patch
+CVE-2025-68161.patch
View it on GitLab: https://salsa.debian.org/java-team/apache-log4j2/-/commit/8c368e2dbbdd64da1036e0687a3fe48095788ad5
--
View it on GitLab: https://salsa.debian.org/java-team/apache-log4j2/-/commit/8c368e2dbbdd64da1036e0687a3fe48095788ad5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20260202/22ce8ea6/attachment.htm>
More information about the pkg-java-commits
mailing list