it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
- From: Salvatore Bonaccorso <carnil AT debian.org>
- To: debian-security-announce AT lists.debian.org
- Subject: [IT-SecNots] [SECURITY] [DSA 4686-1] apache-log4j1.2 security update
- Date: Fri, 15 May 2020 22:17:02 +0000
- List-archive: https://lists.debian.org/msgid-search/E1jZida-0002p6-7m AT seger.debian.org
- List-id: <debian-security-announce.lists.debian.org>
- List-url: <http://lists.debian.org/debian-security-announce/>
- Old-dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.seger; h=Date:Message-Id:Subject:To:From:Reply-To:Cc:MIME-Version :Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: In-Reply-To:References; bh=qDyXe1irbUl6cTDDJsmQfDqEOyPF22uJIBjAcJPvVYs=; b=Xd wCSaVlBEIMinv7U2lOSbErDLSLSSqHdzbEZRHsZ0mwJ/s4W6nTQHm59fM0U9k3jpJkMQnjAYZYuuv rjWJPYIpHASvMGNjFEoGuUxiDsPUMpsTzq6lfgKpeS8RYQWrZ5iE4WzO/SU22ramh0bFY/gVDOtKu YOWIt3wkyBBCM7t2zWQuq3SNCOGonsDkgyhrswXXYVdGIZRh/GBpAfiAhpNp8X5al/pKHB0eI1dNf mIRe/C7UORwoVACsuhHYKxI8s8XFKalAXv+c2h0IwocQHmtLvJQFckFyVXVCCFK56d2yBK9CI61WS bQAfAjcbUQwtlF3VblwG26FvD99to+iw==;
- Old-return-path: <carnil AT seger.debian.org>
- Priority: urgent
- Resent-date: Fri, 15 May 2020 22:17:17 +0000 (UTC)
- Resent-from: debian-security-announce AT lists.debian.org
- Resent-message-id: <O41vjXtIPZF.A.ZGH.tTxveB@bendel>
- Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4686-1 security AT debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 16, 2020 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : apache-log4j1.2
CVE ID : CVE-2019-17571
Debian Bug : 947124
It was discovered that the SocketServer class included in
apache-log4j1.2, a logging library for java, is vulnerable to
deserialization of untrusted data. An attacker can take advantage of
this flaw to execute arbitrary code in the context of the logger
application by sending a specially crafted log event.
For the oldstable distribution (stretch), this problem has been fixed
in version 1.2.17-7+deb9u1.
For the stable distribution (buster), this problem has been fixed in
version 1.2.17-8+deb10u1.
We recommend that you upgrade your apache-log4j1.2 packages.
For the detailed security status of apache-log4j1.2 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/apache-log4j1.2
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6/FH1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RAJQ/9HLo721J7x4kWxFiWIP0Ui1xl8ZM6MBhA8qYfUD4DxKoHHfvYEq6Q7TTD
+FlTX5rRrjvgHF+MgxG1XDHtwv7XWhczEiHzZKHLCX3CsG+AL+CMmGoVqBtKEncC
FGYbVCSKYzxM8LaX2G1EyCzT2zfGZvPT5nFT7zAV0Ge6vpvWklF0s168h4pbG9hE
cF6aPqAlWMy5pLVRI+3XE1og4MECjqXB9a7HSWlHfur6NSnQlrHhWOCDJBw5zpPu
AKEfW5GvBaCdxdat1xTFqCu6h5387dtNsBlRrefp9q+fcrGj2Z351Lv7ccG5Co8T
e/7iNyABu2fmi8x4WFQwS3PY4AsM/2sa+KHfXnttSXcQniXAccg6S1eCaWVqdNfZ
3LPmeBC5gX3UqDNZTVv+kvHvv7EsD1/6bMeVZlKQZkYAeysbLWdjkA+88f6kaVwD
qv6mWCGo5k7ZoWCUKD1Zjz8VwBT4EI/2II5D93QgblVkHDX9CESfipIjJBJp7aJ7
wS2kvdXOko3JDaJbScpGmCnjCb5NhJ1KiBZSzXYHv3uhoqlI5QvYvC1bFHqC2GnT
cF4syuMELN6nZ/Yoz8sJiT4Ilppz98vLerHbJoJZIPEOh15k8UKaFkdt5CpI8MGK
4+sL2iWyTtCjGYGuhDkk0KyLcqijybv282VIkXDtAetpi8MTdsE=
=eH9L
-----END PGP SIGNATURE-----
- [IT-SecNots] [SECURITY] [DSA 4686-1] apache-log4j1.2 security update, Salvatore Bonaccorso, 16.05.2020
Archiv bereitgestellt durch MHonArc 2.6.19.