liblog4j2-java (2.13.3-1) -> 2.15.0-1 -> 2.17.0-1

Alles rund um sicherheitsrelevante Fragen und Probleme.
Antworten
dufty2
Beiträge: 1711
Registriert: 22.12.2013 16:41:16

Re: liblog4j2-java (2.13.3-1) -> 2.15.0-1 -> 2.17.0-1

Beitrag von dufty2 » 19.12.2021 08:46:19

Update:
Nachdem es zwischenzeitlich eine 2.16.0-1 gab,
gibt es seit gestern bereits eine 2.17.0-1, da immer noch Fehler gefunden wurden.
Langsam könnte man über unstable nachdenken ... ;)

Code: Alles auswählen

apache-log4j2 (2.17.0-1) unstable; urgency=high

  * Team upload.
  * New upstream version 2.17.0.
    - Fix CVE-2021-45105:
      Apache Log4j2 did not protect from uncontrolled recursion from
      self-referential lookups. When the logging configuration uses a
      non-default Pattern Layout with a Context Lookup (for example,
      $${ctx:loginId}), attackers with control over Thread Context Map (MDC)
      input data can craft malicious input data that contains a recursive
      lookup, resulting in a denial of service. (Closes: #1001891)
      Thanks to Salvatore Bonaccorso for the report.

 -- Markus Koschany <apo@debian.org>  Sat, 18 Dec 2021 17:09:22 +0100

apache-log4j2 (2.16.0-1) unstable; urgency=high

  * Team upload.
  * New upstream version 2.16.0.
    - Fix CVE-2021-45046:
      It was found that the fix to address CVE-2021-44228 in Apache Log4j
      2.15.0 was incomplete in certain non-default configurations. This could
      allow attackers with control over Thread Context Map (MDC) input data
      when the logging configuration uses a non-default Pattern Layout with
      either a Context Lookup (for example, $${ctx:loginId}) or a Thread
      Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data
      using a JNDI Lookup pattern resulting in a denial of service (DOS)
      attack.
      Thanks to Salvatore Bonaccorso for the report. (Closes: #1001729)

 -- Markus Koschany <apo@debian.org>  Wed, 15 Dec 2021 02:38:06 +0100

apache-log4j2 (2.15.0-1) unstable; urgency=high

  * Team upload.
  * New upstream version 2.15.0.
    - Fix CVE-2021-44228:
      Chen Zhaojun of Alibaba Cloud Security Team discovered that JNDI features
      used in configuration, log messages, and parameters do not protect
      against attacker controlled LDAP and other JNDI related endpoints. An
      attacker who can control log messages or log message parameters can
      execute arbitrary code loaded from LDAP servers when message lookup
      substitution is enabled. From version 2.15.0, this behavior has been
      disabled by default. (Closes: #1001478)
  * Update debian/watch to track the latest releases.
  * Declare compliance with Debian Policy 4.6.0.

 -- Markus Koschany <apo@debian.org>  Sat, 11 Dec 2021 15:01:57 +0100
Nach oben
Antworten

Zurück zu „Sicherheit“