Package: apache-log4j2 / 2.7-2
Metadata
Package | Version | Patches format |
---|---|---|
apache-log4j2 | 2.7-2 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
01 disable kafka appender.patch | (download) |
log4j-core/pom.xml |
5 5 + 0 - 0 ! |
disable the kafka appender (not yet in debian) |
02 jackson compatibility.patch | (download) |
log4j-core/src/main/java/org/apache/logging/log4j/core/net/server/InputStreamLogEventBridge.java |
2 1 + 1 - 0 ! |
fixes the compatibility with the version of jackson in debian |
03 mongodb compatibility.patch | (download) |
log4j-nosql/src/main/java/org/apache/logging/log4j/nosql/appender/mongodb/MongoDbProvider.java |
2 1 + 1 - 0 ! |
fixes the compatibility with the version of the mongodb driver in debian |
CVE 2017 5645.patch | (download) |
log4j-core/src/main/java/org/apache/logging/log4j/core/net/server/AbstractSocketServer.java |
13 13 + 0 - 0 ! |
cve-2017-5645: when using the tcp socket server or udp socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. . This patch adds class filtering to AbstractSocketServer. This allows a whitelist of class names to be specified to configure which classes are allowed to be deserialized in both TcpSocketServer and UdpSocketServer. |