Bug 14140

Summary:	[CVE 21] log4j12 CVEs
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Vladimir Potapov <v.potapov>
Component:	Packages from Main	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	blocker
Priority:	Highest	CC:	a.proklov, pastordidi, s.matveev
Version:	All	Flags:	v.potapov: qa_verified+ v.potapov: secteam_verified? a.proklov: published+
Target Milestone:	2021.1 Fresh R12
Hardware:	All
OS:	Linux
URL:	CVE-2019-17571,CVE-2022-23305,CVE-2021-4104,CVE-2022-23302,CVE-2022-23307,CVE-2023-26464,CVE-2020-9493
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Vladimir Potapov 2023-12-08 14:08:13 MSK

https://nvd.nist.gov/vuln/detail/CVE-2023-26464 HIGH
https://nvd.nist.gov/vuln/detail/CVE-2020-9493 CRITICAL
https://nvd.nist.gov/vuln/detail/CVE-2022-23305 CRITICAL
https://nvd.nist.gov/vuln/detail/CVE-2022-23307 HIGH
https://nvd.nist.gov/vuln/detail/CVE-2019-17571 CRITICAL
https://nvd.nist.gov/vuln/detail/CVE-2022-23302 HIGH

Comment 1 Svyatoslav Matveev 2023-12-11 13:26:28 MSK

********** QA ADVISORY **********

Закрыто наложением патчей:

CVE-2019-17571 тоже самое что и CVE-2017-5645
CVE-2022-23305
CVE-2021-4104
CVE-2022-23302
CVE-2022-23307

CVE-2023-26464 не нужно ,т.к собирается JRE 1.8
https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t

CVE-2020-9493 не нужно,касается Apache Chainsaw.

*** log4j12
**  1.2.17 release +1

https://abf.io/build_lists/4885234
https://abf.io/build_lists/4885235

Comment 2 Dmitry Postnikov 2023-12-13 14:53:46 MSK

*****************************
Обновление отослано в Тестинг

Comment 3 Vladimir Potapov 2023-12-14 16:59:17 MSK

log4j12-1.2.17-26
https://abf.io/build_lists/4885234
https://abf.io/build_lists/4885235
*************************** Advisory ********************
CVEs closed by patches
*********************************************************

Comment 4 Vladimir Potapov 2023-12-14 17:07:52 MSK

QA Verified