From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id CA+6EJwKtGG3aAAAgWs5BA (envelope-from ) for ; Sat, 11 Dec 2021 03:19:08 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id UHiADJwKtGEWHAAAB5/wlQ (envelope-from ) for ; Sat, 11 Dec 2021 02:19:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 039CEBA46 for ; Sat, 11 Dec 2021 03:19:08 +0100 (CET) Received: from localhost ([::1]:37516 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mvryd-0001Ns-4l for larch@yhetil.org; Fri, 10 Dec 2021 21:19:07 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48416) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mvryZ-0001NV-6s for guix-patches@gnu.org; Fri, 10 Dec 2021 21:19:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:36710) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mvryY-0004cm-V2 for guix-patches@gnu.org; Fri, 10 Dec 2021 21:19:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mvryY-0007Do-KI for guix-patches@gnu.org; Fri, 10 Dec 2021 21:19:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#52421] [PATCH][SECURITY] gnu: java-log4j-api: Update to 2.15.0. Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 11 Dec 2021 02:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 52421 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 52421@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.163918913927748 (code B ref -1); Sat, 11 Dec 2021 02:19:02 +0000 Received: (at submit) by debbugs.gnu.org; 11 Dec 2021 02:18:59 +0000 Received: from localhost ([127.0.0.1]:48256 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mvryV-0007DU-6q for submit@debbugs.gnu.org; Fri, 10 Dec 2021 21:18:59 -0500 Received: from lists.gnu.org ([209.51.188.17]:39174) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mvryS-0007DL-60 for submit@debbugs.gnu.org; Fri, 10 Dec 2021 21:18:58 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48398) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mvryR-0001M3-Oc for guix-patches@gnu.org; Fri, 10 Dec 2021 21:18:56 -0500 Received: from [2a00:5884:8208::1] (port=50210 helo=lepiller.eu) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mvryL-0004BS-5Z for guix-patches@gnu.org; Fri, 10 Dec 2021 21:18:55 -0500 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 49cb5bfc for ; Sat, 11 Dec 2021 02:12:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from :to:subject:message-id:mime-version:content-type :content-transfer-encoding; s=dkim; bh=ByVLQQ7mFroUuk2tBQ+wQQBj9 WMMNZmbT4xfzIsP0II=; b=TS5tYIEh+amjPH5VXa4qAoHILX73l1fBVSSXO9lFk 7yvjOEWxrwT23DzPGvRY7aJCVMUfham0S7SQdCXZTpZcpYRmW7yuMpwPB0uXfRXB kdr5L9GQQQQd296buJQkbGA6nYGMgAY4ob8yUtAaD5S2BZ9ZF8yhAypRwiMUmb2k 8ufvMs5GxOTOk6CAU90ghdlxrkHlbzzQCIaFmssb/zWmKbf3f+/D0DMDFaH0chZX vBXGnU5P+A2XfuxRCdQnwZnhPFHZ3PWqd6Uumi6Qt0TvT+ul5J1Gu8n5j6tHJWoq RlFzLgt+imECTW2N6STPa5NCF6+X6pMgX8vgFDH+1KAig== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 00f24f50 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Sat, 11 Dec 2021 02:12:07 +0000 (UTC) Date: Sat, 11 Dec 2021 03:11:59 +0100 From: Julien Lepiller Message-ID: <20211211031159.29aa79db@tachikoma.lepiller.eu> X-Mailer: Claws Mail 4.0.0 (GTK+ 3.24.24; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Host-Lookup-Failed: Reverse DNS lookup failed for 2a00:5884:8208::1 (failed) Received-SPF: pass client-ip=2a00:5884:8208::1; envelope-from=julien@lepiller.eu; helo=lepiller.eu X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, T_SPF_TEMPERROR=0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1639189148; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=ByVLQQ7mFroUuk2tBQ+wQQBj9WMMNZmbT4xfzIsP0II=; b=qPkPTUR75RgOVV0BnuMy6SeWbUP6smz1woFAuse5Yb/vL8s5bby03yOjtUlNXKh2aSvKlJ 2eXFlDNpK0mvFc7ZYx3hugjc0pekZilvmY9i9QfIvHr6/Z7hAvw7MR3clSL/D7XvIvk9VN 8xAvkVrP9UZjxiSxYfAZ9cP6pp0PDx/FB3FF9PQbsqSCo7Se9gGGgv8ov/v1Y76NO/7mVP klKwFVpm34SeNZcjAbO2NUi/WOmGitNgn0xqec+52lNQnaE7t6JuuqCdCZbzJ0ZNrys5Uj alEt+nD2iBTcIKxex86YZICsu3pVbKa7H9cQCB9ZnuSuC+tHqGcaGCD+DHUy3g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1639189148; a=rsa-sha256; cv=none; b=dx68bo335OcNVTN1KeTL0pGZhyv69EkQVcJ7dT2AQaJpyDc3cU3RXiptbZW0DAqzTin+h/ jes6tT76wFvg+3ayl96SjLKmiqEKmZhnboonckC47DOm1/B/6ZgCvozeeNBcpV7Zo7vsSO 12+Y1f7Z4U/fr6P6NRXVGkS82hjV3wbeUOIul3XjqQOBsvOzrHJCr+xC+CsimcK8Jp1h7h 50arzra8t3eoIhD4J+LLeXwD89pHN76sRrNRpSghv4z6weOrizNb5yTb8jPMCIj1m7gLIG hC68/dM22yez3jXzf+pW6JRco22TNTazVJAqkWs5PHy9aCdf0I05ud7ToGqdRA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lepiller.eu header.s=dkim header.b=TS5tYIEh; dmarc=fail reason="SPF not aligned (relaxed)" header.from=lepiller.eu (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.06 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lepiller.eu header.s=dkim header.b=TS5tYIEh; dmarc=fail reason="SPF not aligned (relaxed)" header.from=lepiller.eu (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 039CEBA46 X-Spam-Score: -2.06 X-Migadu-Scanner: scn1.migadu.com X-TUID: V80W6tPgwkjT Hi Guix! today I learnt about a CVE on log4j. Looking more closely, it seems that log4j2 has had 3 CVEs (at least 3 are listed on https://logging.apache.org/log4j/2.x/security.html) and we're vulnerable to all of them \o/ This series updates to the latest version. Thankfully, log4j keeps a stable API, so there's no breakage in dependents, but a few dependencies had to be added/updated.