[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Claim apache-log4j1.2 and nss in dla-needed.txt

Hi Chris,

(sorry forgot to CC debian-lts)

I think that was a mistake. We definitely should fix apache-log4j1.2 in
all distributions because a lot of packages depend on it. However the
vulnerability surfaces only when you use the (optional) option to log to
a remote server. I am quite sure that most of our packages just need it
as a build-dependency and to log to a file or stdout. The patch for
apache-log4j2 is quite different and can't be applied as is. I still
think I can backport it, so I wanted to give it a try.

I also recommend to let me handle triaging work because I am officially
frontdesk at the moment. You can always grab a package and work on it
but let frontdesk handle general triaging work or at least CC him/her or
move the discussion to debian-lts for more public awareness.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: