-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4686-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 16, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache-log4j1.2
CVE ID         : CVE-2019-17571
Debian Bug     : 947124

It was discovered that the SocketServer class included in
apache-log4j1.2, a logging library for java, is vulnerable to
deserialization of untrusted data. An attacker can take advantage of
this flaw to execute arbitrary code in the context of the logger
application by sending a specially crafted log event.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.2.17-7+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.2.17-8+deb10u1.

We recommend that you upgrade your apache-log4j1.2 packages.

For the detailed security status of apache-log4j1.2 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/apache-log4j1.2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6/FH1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RAJQ/9HLo721J7x4kWxFiWIP0Ui1xl8ZM6MBhA8qYfUD4DxKoHHfvYEq6Q7TTD
+FlTX5rRrjvgHF+MgxG1XDHtwv7XWhczEiHzZKHLCX3CsG+AL+CMmGoVqBtKEncC
FGYbVCSKYzxM8LaX2G1EyCzT2zfGZvPT5nFT7zAV0Ge6vpvWklF0s168h4pbG9hE
cF6aPqAlWMy5pLVRI+3XE1og4MECjqXB9a7HSWlHfur6NSnQlrHhWOCDJBw5zpPu
AKEfW5GvBaCdxdat1xTFqCu6h5387dtNsBlRrefp9q+fcrGj2Z351Lv7ccG5Co8T
e/7iNyABu2fmi8x4WFQwS3PY4AsM/2sa+KHfXnttSXcQniXAccg6S1eCaWVqdNfZ
3LPmeBC5gX3UqDNZTVv+kvHvv7EsD1/6bMeVZlKQZkYAeysbLWdjkA+88f6kaVwD
qv6mWCGo5k7ZoWCUKD1Zjz8VwBT4EI/2II5D93QgblVkHDX9CESfipIjJBJp7aJ7
wS2kvdXOko3JDaJbScpGmCnjCb5NhJ1KiBZSzXYHv3uhoqlI5QvYvC1bFHqC2GnT
cF4syuMELN6nZ/Yoz8sJiT4Ilppz98vLerHbJoJZIPEOh15k8UKaFkdt5CpI8MGK
4+sL2iWyTtCjGYGuhDkk0KyLcqijybv282VIkXDtAetpi8MTdsE=
=eH9L
-----END PGP SIGNATURE-----