apache-log4j2 (2.7-2+deb9u1) stretch-security; urgency=high

  * Team upload.
  * Fix CVE-2021-44228:
    Chen Zhaojun of Alibaba Cloud Security Team discovered that JNDI features
    used in configuration, log messages, and parameters do not protect
    against attacker controlled LDAP and other JNDI related endpoints. An
    attacker who can control log messages or log message parameters can
    execute arbitrary code loaded from LDAP servers when message lookup
    substitution is enabled.

 -- Markus Koschany <apo@debian.org>  Sun, 12 Dec 2021 02:17:57 +0100

apache-log4j2 (2.7-2) unstable; urgency=medium

  * Team upload.
  * Fixed CVE-2017-5645: When using the TCP socket server or UDP socket server
    to receive serialized log events from another application, a specially
    crafted binary payload can be sent that, when deserialized, can execute
    arbitrary code (Closes: #860489)

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 18 Apr 2017 14:30:00 +0200

apache-log4j2 (2.7-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Ignore the new log4j-api-scala modules
    - New dependencies on libconversant-disruptor-java, libjcommander-java
      and libjctools-java
  * Transition to the Servlet API 3.1
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 21 Oct 2016 18:22:32 +0200

apache-log4j2 (2.6.2-1) unstable; urgency=medium

  * Team upload.
  * New upstream release

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 14 Jul 2016 19:32:56 +0200

apache-log4j2 (2.6.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Fixed the compatibility with jackson and mongodb
    - New dependencies on groovy, libwoodstox-java and libbsh-java
    - Ignore the new test dependencies
  * Exclude the minified JavaScript files from the upstream tarball
  * Standards-Version updated to 3.9.8
  * Use a secure Vcs-Git URL

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 08 Jul 2016 16:08:33 +0200

apache-log4j2 (2.4-2) unstable; urgency=medium

  * Team upload.
  * maven.rules: Fix substitution rules for javax.servlet API.
    Thanks to Chris Lamb for the report. (Closes: #809619)
  * Switch from cdbs to dh sequencer.
  * Vcs-Browser: Use https.

 -- Markus Koschany <apo@debian.org>  Sat, 09 Jan 2016 14:23:29 +0100

apache-log4j2 (2.4-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - New dependencies on libcommons-compress-java, libcommons-csv-java
      and libjeromq-java
    - Ignore the new liquibase module
    - Disabled the new Kafka appender

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 22 Oct 2015 19:44:48 +0200

apache-log4j2 (2.2-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * liblog4j2-java.poms:
    - Add and enable the new modules: log4j-nosql, log4j-web, log4j2-jul
      and log4j-bom
    - Remove the log4j-osgi module
    - Ignore log4j-iostreams and log4j-perf modules
  * maven.ignoreRules: Ignore all artifacts which make the build FTBFS,
    including maven-failsafe-plugin, woodstox-core-asl, json-unit,
    activemq-broker.
  * debian/control:
    - Declare compliance with Debian Policy 3.9.6.
    - Switch Vcs-Browser field to cgit.
    - New build dependencies on libmaven-source-plugin-java,
      libcommons-lang3-java, libjackson2-dataformat-yaml,
      libjackson2-dataformat-xml-java and jackson-module-jaxb-annotations
  * Update maven.rules due to additional build-dependencies.

  [ Emmanuel Bourg ]
  * Build depend on libmail-java instead of libgnumail-java
  * debian/watch: Watch the release tags on Github

 -- Markus Koschany <apo@gambaru.de>  Fri, 29 May 2015 14:43:11 +0200

apache-log4j2 (2.0~beta9-1) unstable; urgency=medium

  * Initial release (Closes: #718867)

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 19 Mar 2014 11:49:25 +0100
