openSUSE-SU-2021:1601-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2021:1601-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2021:1601-1
Related
Published
2021-12-20T09:16:57Z
Modified
2021-12-20T09:16:57Z
Summary
Security update for log4j
Details

This update for log4j fixes the following issue:

  • Previously published fixes for log4jshell turned out to be incomplete. Upstream has followed up on the original patch for CVE-2021-44228 with several additional changes (LOG4J2-3198, LOG4J2-3201, LOG4J2-3208, and LOG4J2-3211) that are included in this update. Since the totality of those patches is pretty much equivalent to an update to the latest version of log4j, we did update the package's tarball from version 2.13.0 to 2.16.0 instead of trying to apply those patches to the old version. This change brings in a new dependency on 'jakarta-servlet' and a version update of 'disruptor'. [bsc#1193743, CVE-2021-45046]

This update was imported from SUSE:SLE-15-SP2:Update.

References

Affected packages

openSUSE:Leap 15.2 / disruptor

Package

Name
disruptor
Purl
pkg:rpm/opensuse/disruptor&distro=openSUSE%20Leap%2015.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.4-lp152.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "disruptor-javadoc": "3.4.4-lp152.2.3.1",
            "log4j-javadoc": "2.16.0-lp152.3.9.1",
            "log4j-slf4j": "2.16.0-lp152.3.9.1",
            "jakarta-servlet": "5.0.0-lp152.2.1",
            "log4j-jcl": "2.16.0-lp152.3.9.1",
            "jakarta-servlet-javadoc": "5.0.0-lp152.2.1",
            "disruptor": "3.4.4-lp152.2.3.1",
            "log4j": "2.16.0-lp152.3.9.1"
        }
    ]
}

openSUSE:Leap 15.2 / jakarta-servlet

Package

Name
jakarta-servlet
Purl
pkg:rpm/opensuse/jakarta-servlet&distro=openSUSE%20Leap%2015.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.0-lp152.2.1

Ecosystem specific

{
    "binaries": [
        {
            "disruptor-javadoc": "3.4.4-lp152.2.3.1",
            "log4j-javadoc": "2.16.0-lp152.3.9.1",
            "log4j-slf4j": "2.16.0-lp152.3.9.1",
            "jakarta-servlet": "5.0.0-lp152.2.1",
            "log4j-jcl": "2.16.0-lp152.3.9.1",
            "jakarta-servlet-javadoc": "5.0.0-lp152.2.1",
            "disruptor": "3.4.4-lp152.2.3.1",
            "log4j": "2.16.0-lp152.3.9.1"
        }
    ]
}

openSUSE:Leap 15.2 / log4j

Package

Name
log4j
Purl
pkg:rpm/opensuse/log4j&distro=openSUSE%20Leap%2015.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.0-lp152.3.9.1

Ecosystem specific

{
    "binaries": [
        {
            "disruptor-javadoc": "3.4.4-lp152.2.3.1",
            "log4j-javadoc": "2.16.0-lp152.3.9.1",
            "log4j-slf4j": "2.16.0-lp152.3.9.1",
            "jakarta-servlet": "5.0.0-lp152.2.1",
            "log4j-jcl": "2.16.0-lp152.3.9.1",
            "jakarta-servlet-javadoc": "5.0.0-lp152.2.1",
            "disruptor": "3.4.4-lp152.2.3.1",
            "log4j": "2.16.0-lp152.3.9.1"
        }
    ]
}