log4j-core/pom.xml | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 disable the kafka appender (not yet in debian)

log4j-core/src/main/java/org/apache/logging/log4j/core/net/server/InputStreamLogEventBridge.java | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fixes the compatibility with the version of jackson in debian

log4j-nosql/src/main/java/org/apache/logging/log4j/nosql/appender/mongodb/MongoDbProvider.java | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fixes the compatibility with the version of the mongodb driver in debian

log4j-core/src/main/java/org/apache/logging/log4j/core/net/server/AbstractSocketServer.java | 13 13 + 0 - 0 !
log4j-core/src/main/java/org/apache/logging/log4j/core/net/server/ObjectInputStreamLogEventBridge.java | 21 20 + 1 - 0 !
log4j-core/src/main/java/org/apache/logging/log4j/core/net/server/TcpSocketServer.java | 25 22 + 3 - 0 !
log4j-core/src/main/java/org/apache/logging/log4j/core/net/server/UdpSocketServer.java | 18 17 + 1 - 0 !
log4j-core/src/main/java/org/apache/logging/log4j/core/util/FilteredObjectInputStream.java | 67 67 + 0 - 0 !
5 files changed, 139 insertions(+), 5 deletions(-)

 cve-2017-5645: when using the tcp socket server or udp socket
 server to receive serialized log events from another application,
 a specially crafted binary payload can be sent that, when deserialized,
 can execute arbitrary code.
 .
 This patch adds class filtering to AbstractSocketServer. This allows
 a whitelist of class names to be specified to configure which classes
 are allowed to be deserialized in both TcpSocketServer and UdpSocketServer.