Bug#1001729: apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations
Markus Koschany
apo at debian.org
Tue Dec 14 22:45:20 GMT 2021
Control: owner -1 !
Am Dienstag, dem 14.12.2021 um 21:37 +0100 schrieb Salvatore Bonaccorso:
> Source: apache-log4j2
> Version: 2.15.0-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3221
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team
> <team at security.debian.org>
> Control: found -1 2.15.0-1~deb11u1
> Control: found -1 2.15.0-1~deb10u1
>
> Hi,
>
> The following vulnerability was published for apache-log4j2. Strictly
> speaking it's less severe as CVE-2021-44228 as it is an incomplete fix
> for the former CVE in certain non-default configurations.
Hi Salvatore,
I believe Stretch is not vulnerable to CVE-2021-45046 because I have removed
the JndiLookup class when I fixed CVE-2021-44228.
Shall I release a new DSA for CVE-2021-45046 or a regression update for CVE-
2021-44228 because of the incomplete upstream fix?
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20211214/910fa176/attachment.sig>
More information about the pkg-java-maintainers
mailing list