Bug#1001891: apache-log4j2: CVE-2021-45105: Certain strings can cause infinite recursion
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 18 16:51:19 GMT 2021
Hi!
On Sat, Dec 18, 2021 at 03:30:16PM +0100, Markus Koschany wrote:
> Control: owner -1 !
>
> Am Samstag, dem 18.12.2021 um 14:37 +0100 schrieb Salvatore Bonaccorso:
> > Source: apache-log4j2
> > Version: 2.16.0-1
> > Severity: grave
> > Tags: security upstream
> > Forwarded: https://issues.apache.org/jira/browse/LOG4J2-3230
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team
> > <team at security.debian.org>
> > Control: found -1 2.16.0-1~deb11u1
> > Control: found -1 2.16.0-1~deb10u1
> >
> > Hi,
> >
> > The following vulnerability was published for apache-log4j2, again
> > less stronger impact.
> >
> > CVE-2021-45105[0]:
> > > Certain strings can cause infinite recursion
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> Thanks for the report. I hope we are not going to see a new log4j CVE every
> week now...
>
> I can prepare the security update for Buster and Bullseye again.
Thanks! I hope and expect it will calm down again around log4j2. Many
people are now looking at it, so it's good issues are found and are
resolved.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list