Apache has issued an advisory today (December 28): https://www.openwall.com/lists/oss-security/2021/12/28/1 The issue is fixed upstream in 2.17.1. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.17.1Whiteboard: (none) => MGA8TOO
fixed in mga 8/9 src: - log4j-2.17.1-1.mga8
Whiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 2.17.1 => (none)Version: Cauldron => 8Assignee: java => qa-bugsCC: (none) => mageia
log4j-jcl-2.17.1-1.mga8 log4j-slf4j-2.17.1-1.mga8 log4j-2.17.1-1.mga8 from log4j-2.17.1-1.mga8.src.rpm
openSUSE has issued an advisory for this on December 30: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QD3TW7GD6PF3ZSKL2TJG3Z462FFFLJND/
No installation issues. Downloaded the attachment and used Brian's test from https://bugs.mageia.org/show_bug.cgi?id=29766#c24 (Thank you, Brian!) [tom@localhost ~]$ cd log4j_t1/bin/ [tom@localhost bin]$ java -cp .:/usr/share/java/log4j/log4j-core.jar:/usr/share/java/log4j/log4j-api.jar log4j_t1.Test1L 15:51:41.134 [main] ERROR HelloWorld - Hello, World! Seems to be working. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0002.html
Status: NEW => RESOLVEDResolution: (none) => FIXED