[Git][java-team/apache-log4j2][bullseye] 3 commits: Import Upstream version 2.12.3
Markus Koschany (@apo)
gitlab at salsa.debian.org
Mon Jan 19 22:57:11 GMT 2026
Markus Koschany pushed to branch bullseye at Debian Java Maintainers / apache-log4j2
Commits:
aa58884f by Markus Koschany at 2021-12-26T23:36:29+01:00
Import Upstream version 2.12.3
- - - - -
017ccdce by Markus Koschany at 2021-12-29T11:39:57+01:00
New upstream version 2.17.1
- - - - -
bb45fa08 by Markus Koschany at 2026-01-19T23:56:56+01:00
Import Debian changes 2.17.1-1~deb11u2
apache-log4j2 (2.17.1-1~deb11u2) bullseye-security; urgency=medium
.
* Team upload.
* The Socket Appender in Apache Log4j Core does not perform TLS hostname
verification of the peer certificate, even when the verifyHostName
configuration attribute or the log4j2.sslVerifyHostName system property is
set to true. This issue may allow a man-in-the-middle attacker to intercept
or redirect log traffic under specific and hard to exploit conditions.
.
apache-log4j2 (2.17.1-1~deb11u1) bullseye; urgency=medium
.
* Team upload.
* Backport 2.17.1 to Bullseye and fix CVE-2021-44832: remote code execution
vulnerability but requires permission to modify the logging configuration.
.
apache-log4j2 (2.17.1-1) unstable; urgency=high
.
* Team upload.
* New upstream version 2.17.1.
- Fix CVE-2021-44832:
Apache Log4j2 is vulnerable to a remote code execution
(RCE) attack where an attacker with permission to modify the logging
configuration file can construct a malicious configuration using a JDBC
Appender with a data source referencing a JNDI URI which can execute
remote code. This issue is fixed by limiting JNDI data source names to
the java protocol.
Thanks to Salvatore Bonaccorso for the report. (Closes: #1002813)
.
apache-log4j2 (2.17.0-1) unstable; urgency=high
.
* Team upload.
* New upstream version 2.17.0.
- Fix CVE-2021-45105:
Apache Log4j2 did not protect from uncontrolled recursion from
self-referential lookups. When the logging configuration uses a
non-default Pattern Layout with a Context Lookup (for example,
$${ctx:loginId}), attackers with control over Thread Context Map (MDC)
input data can craft malicious input data that contains a recursive
lookup, resulting in a denial of service. (Closes: #1001891)
Thanks to Salvatore Bonaccorso for the report.
- - - - -
101 changed files:
- .github/workflows/benchmark.yml
- .github/workflows/main.yml → .github/workflows/build.yml
- + CODE_OF_CONDUCT.md
- README.md
- RELEASE-NOTES.md
- debian/changelog
- + debian/patches/CVE-2025-68161.patch
- debian/patches/series
- + docs/2.17.0-interpolation.md
- + docs/cve-map.md
- log4j-1.2-api/pom.xml
- log4j-1.2-api/src/main/java/org/apache/log4j/bridge/FilterAdapter.java
- log4j-1.2-api/src/main/java/org/apache/log4j/builders/appender/RollingFileAppenderBuilder.java
- log4j-1.2-api/src/main/java/org/apache/log4j/config/PropertiesConfiguration.java
- log4j-1.2-api/src/main/java/org/apache/log4j/helpers/AppenderAttachableImpl.java
- log4j-1.2-api/src/main/java/org/apache/log4j/helpers/OptionConverter.java
- log4j-1.2-api/src/test/java/org/apache/log4j/config/ZeroFilterFixture.java → log4j-1.2-api/src/test/java/org/apache/log4j/config/NeutralFilterFixture.java
- log4j-1.2-api/src/test/java/org/apache/log4j/config/PropertiesConfigurationTest.java
- log4j-1.2-api/src/test/resources/LOG4J2-3247.properties
- log4j-api-java9/pom.xml
- log4j-api/pom.xml
- log4j-api/src/main/java/org/apache/logging/log4j/Logger.java
- log4j-api/src/main/java/org/apache/logging/log4j/spi/AbstractLogger.java
- log4j-api/src/main/java/org/apache/logging/log4j/spi/ExtendedLoggerWrapper.java
- log4j-appserver/pom.xml
- log4j-bom/pom.xml
- log4j-cassandra/pom.xml
- log4j-core-its/pom.xml
- log4j-core-java9/pom.xml
- log4j-core/pom.xml
- log4j-core/revapi.json
- log4j-core/src/main/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSource.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/JmsManager.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/appender/mom/kafka/KafkaAppender.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/config/AbstractConfiguration.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/config/PropertiesPlugin.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JmxRuntimeInputArgumentsLookup.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/MapLookup.java
- + log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/PropertiesLookup.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/StrSubstitutor.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/util/NetUtils.java
- log4j-core/src/main/java/org/apache/logging/log4j/core/util/OptionConverter.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcAppenderDataSourceTest.java
- + log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/AbstractJdbcDataSourceTest.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/DataSourceConnectionSourceTest.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/appender/db/jdbc/JdbcAppenderMapMessageDataSourceTest.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/appender/mom/JmsAppenderTest.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/appender/rolling/RollingFileAppenderReconfigureTest.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/InterpolatorTest.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/MainInputArgumentsMapLookup.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/MapLookupTest.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/StrSubstitutorTest.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/net/JndiManagerTest.java
- log4j-core/src/test/java/org/apache/logging/log4j/core/net/SocketAppenderReconnectTest.java
- + log4j-core/src/test/java/org/apache/logging/log4j/core/util/OptionConverterTest.java
- log4j-couchdb/pom.xml
- log4j-distribution/pom.xml
- log4j-docker/pom.xml
- log4j-flume-ng/pom.xml
- log4j-iostreams/pom.xml
- log4j-jakarta-web/pom.xml
- log4j-jcl/pom.xml
- log4j-jdbc-dbcp2/pom.xml
- log4j-jmx-gui/pom.xml
- log4j-jpa/pom.xml
- log4j-jpl/pom.xml
- log4j-jul/pom.xml
- log4j-kubernetes/pom.xml
- log4j-layout-template-json/pom.xml
- log4j-liquibase/pom.xml
- log4j-mongodb3/pom.xml
- log4j-mongodb4/pom.xml
- log4j-osgi/pom.xml
- log4j-perf/pom.xml
- log4j-samples/log4j-samples-configuration/pom.xml
- log4j-samples/log4j-samples-flume-common/pom.xml
- log4j-samples/log4j-samples-flume-embedded/pom.xml
- log4j-samples/log4j-samples-flume-remote/pom.xml
- log4j-samples/log4j-samples-loggerProperties/pom.xml
- log4j-samples/pom.xml
- log4j-slf4j-impl/pom.xml
- log4j-slf4j18-impl/pom.xml
- log4j-spring-boot/pom.xml
- log4j-spring-boot/src/test/java/org/apache/logging/log4j/spring/boot/SpringLookupTest.java
- log4j-spring-cloud-config/log4j-spring-cloud-config-client/pom.xml
- log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-application/pom.xml
- log4j-spring-cloud-config/log4j-spring-cloud-config-samples/log4j-spring-cloud-config-sample-server/pom.xml
- log4j-spring-cloud-config/log4j-spring-cloud-config-samples/pom.xml
- log4j-spring-cloud-config/pom.xml
- log4j-taglib/pom.xml
- log4j-to-slf4j/pom.xml
- log4j-to-slf4j/src/main/java/org/apache/logging/slf4j/SLF4JLogger.java
- log4j-to-slf4j/src/main/java/org/apache/logging/slf4j/SLF4JLoggerContext.java
- log4j-to-slf4j/src/main/java/org/apache/logging/slf4j/SLF4JLoggerContextFactory.java
- log4j-to-slf4j/src/test/java/org/apache/logging/slf4j/LoggerTest.java
- log4j-web/pom.xml
- pom.xml
- src/changes/announcement.vm
- src/changes/changes.xml
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/java-team/apache-log4j2/-/compare/5708df51e387edc6330e476bc7e7fbce0877752d...bb45fa0824556e6414f64abcf72c6d48fefaa11c
--
View it on GitLab: https://salsa.debian.org/java-team/apache-log4j2/-/compare/5708df51e387edc6330e476bc7e7fbce0877752d...bb45fa0824556e6414f64abcf72c6d48fefaa11c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20260119/57e47cdd/attachment.htm>
More information about the pkg-java-commits
mailing list