UbuntuUpdates.org

Package "apache-log4j1.2"

Name: apache-log4j1.2

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Logging library for java
  • Documentation for liblog4j1.2-java
Latest version: 1.2.17-8+deb10u1ubuntu0.2
Release: bionic (18.04)
Level: security
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "apache-log4j1.2" in Bionic

Repository Area Version
base universe 1.2.17-8
updates universe 1.2.17-8+deb10u1ubuntu0.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.2.17-8+deb10u1ubuntu0.2 2023-04-04 22:06:48 UTC

  apache-log4j1.2 (1.2.17-8+deb10u1ubuntu0.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Improper Neutralization
    - debian/patches/CVE-2022-23302.patch: Replace lookup code.
    - debian/patches/CVE-2022-23305.patch: Add flushBufferSecure and
      JdbcPatternParser.
    - debian/patches/CVE-2022-23307.patch: Add
      HardenedLoggingEventInputStream, HardenedObjectInputStream, and
      SocketAppenderTest.java
    - CVE-2022-23302
    - CVE-2022-23305
    - CVE-2022-23307

 -- Paulo Flabiano Smorigo <email address hidden> Fri, 17 Mar 2023 11:50:35 -0300
Source diff to previous version
CVE-2022-23302 JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration
CVE-2022-23305 By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from
CVE-2022-23307 CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j

Version: 1.2.17-8+deb10u1ubuntu0.1 2022-01-11 22:06:25 UTC

  apache-log4j1.2 (1.2.17-8+deb10u1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: code execution via JMS appender
    - debian/patches/0002-Disable-JNDI-by-default.patch: Add an additional
      option that disables the JMS appender by default.
    - CVE-2021-4104
  * Environments that require JMS Appender will need to add the following
    to their configuration file: log4j.appender.jms.Enabled=true

 -- Paulo Flabiano Smorigo <email address hidden> Mon, 10 Jan 2022 14:36:26 +0000
Source diff to previous version
CVE-2021-4104 JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attack

Version: 1.2.17-8+deb10u1build0.18.04.1 2020-09-14 20:06:17 UTC

  apache-log4j1.2 (1.2.17-8+deb10u1build0.18.04.1) bionic-security; urgency=medium

  * fake sync from Debian


About   -   Send Feedback to @ubuntu_updates