Bug#1004482: liblog4j1.2-java: CVE-2022-23307 CVE-2022-23305 CVE-2022-23302
Markus Koschany
apo at debian.org
Sun Jan 30 21:12:53 GMT 2022
Control: owner -1 !
On Fri, 28 Jan 2022 17:04:08 +0100 Christoph Anton Mitterer
<calestyo at scientia.org> wrote:
> Package: liblog4j1.2-java
> Version: 1.2.17-10
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>
> Hey.
>
> A number of holes was found in the 1.2 branch of log4j.
>
> The following is apparently critical (code injection):
> https://www.cvedetails.com/cve/CVE-2022-23307/
>
> https://www.cvedetails.com/cve/CVE-2022-23305/
> https://www.cvedetails.com/cve/CVE-2022-23302/
I intend to address these issues shortly. I believe we can just remove the
affected classes because they are not used by our dependencies but I need to
double-check that.
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20220130/71a05ed8/attachment.sig>
More information about the pkg-java-maintainers
mailing list