Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: apo@debian.org Hi, I would like to fix CVE-2021-44832 in Bullseye. Apache Log4j2 has been affected by some serious remote code execution vulnerabilities in the past months. The most severe ones have been already addressed in buster-security with version 2.17.0-1~deb11u1. CVE-2021-44832 is less severe thus the security team decided to mark this issue as no-dsa. I have prepared a backport of the current Log4j2 version in testing which again is a new upstream release instead of a targeted fix. I am confident this one works as well as the other upgrades before and I recommend to use it in stable from now on. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Markus
Attachment:
apache-log4j2_bullseye.debdiff.gz
Description: application/gzip