Bug#1001729: apache-log4j2: CVE-2021-45046: Incomplete fix for CVE-2021-44228 in certain non-default configurations

[Salvatore Bonaccorso]

Hi Markus,

On Tue, Dec 14, 2021 at 11:45:20PM +0100, Markus Koschany wrote:
> Control: owner -1 !
> 
> Am Dienstag, dem 14.12.2021 um 21:37 +0100 schrieb Salvatore Bonaccorso:
> > Source: apache-log4j2
> > Version: 2.15.0-1
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3221
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team
> > <team at security.debian.org>
> > Control: found -1 2.15.0-1~deb11u1
> > Control: found -1 2.15.0-1~deb10u1
> > 
> > Hi,
> > 
> > The following vulnerability was published for apache-log4j2. Strictly
> > speaking it's less severe as CVE-2021-44228 as it is an incomplete fix
> > for the former CVE in certain non-default configurations.
> 
> Hi Salvatore,
> 
> I believe Stretch is not vulnerable to CVE-2021-45046 because I have removed
> the JndiLookup class when I fixed CVE-2021-44228.

Oh, good in this case I would mark it with something along the lines:

	[stretch] - apache-log4j2 <not-affected> (Incomplete fix for CVE-2021-44228 not applied; JndiLookup class removed as part of fix for CVE-2021-44228)

> Shall I release a new DSA for CVE-2021-45046 or a regression update for CVE-
> 2021-44228 because of the incomplete upstream fix?

You are right, it might be a bit borderline towards a "regression
update". But as it is considered both a CVE assigned because of an
incomplete fix, but still can be seen as own issue I would just
allocate a new DSA number for the update and make it a regular
security update. 

My reasoning here is is not, that the CVE-2021-44228 was thought to be
meant to be addressed remains unfixed, but some other edge  cases were
not covered, making the fix incomplete, but still beeing a  own
"issue".

So just allocate a new DSA for it covering the CVE-2021-45046 CVE.

Thanks for working on the update!

Regards,
Salvatore