diff -Nru apache-log4j1.2-1.2.17/debian/changelog apache-log4j1.2-1.2.17/debian/changelog
--- apache-log4j1.2-1.2.17/debian/changelog	2016-03-07 15:29:01.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/changelog	2022-08-18 03:51:56.000000000 +0000
@@ -1,14 +1,49 @@
-apache-log4j1.2 (1.2.17-7ubuntu1) xenial; urgency=low
+apache-log4j1.2 (1.2.17-8+deb10u1ubuntu0.1~16.04.sav0) xenial; urgency=medium
 
-  * Merge from Debian unstable.  Remaining changes:
-    - d/{rules,control}: Remove dependency on bnd and don't add
-      OSGi headers to jar file.
-    - d/liblog4j1.2.manifest,control,rules: Add OSGi manifest for log4j
-      using javahelper.
-    - d/control,rules: Switch libmail-java -> libgnumail-java to avoid
-      Maven in Ubuntu main.
+  * Backport to Xenial
 
- -- James Page <james.page@ubuntu.com>  Mon, 07 Mar 2016 15:29:00 +0000
+ -- Rob Savoury <savoury@savos.tech>  Wed, 17 Aug 2022 20:51:56 -0700
+
+apache-log4j1.2 (1.2.17-8+deb10u1ubuntu0.1) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: code execution via JMS appender
+    - debian/patches/0002-Disable-JNDI-by-default.patch: Add an additional
+      option that disables the JMS appender by default.
+    - CVE-2021-4104
+  * Environments that require JMS Appender will need to add the following
+    to their configuration file: log4j.appender.jms.Enabled=true
+
+ -- Paulo Flabiano Smorigo <pfsmorigo@canonical.com>  Mon, 10 Jan 2022 14:36:26 +0000
+
+apache-log4j1.2 (1.2.17-8+deb10u1build0.18.04.1) bionic-security; urgency=medium
+
+  * fake sync from Debian
+
+ -- Paulo Flabiano Smorigo <pfsmorigo@canonical.com>  Mon, 14 Sep 2020 15:35:14 +0000
+
+apache-log4j1.2 (1.2.17-8+deb10u1) buster-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2019-17571. (Closes: #947124)
+    Included in Log4j 1.2 is a SocketServer class that is vulnerable to
+    deserialization of untrusted data which can be exploited to remotely
+    execute arbitrary code when combined with a deserialization gadget when
+    listening to untrusted network traffic for log data.
+
+ -- Markus Koschany <apo@debian.org>  Sat, 02 May 2020 16:46:05 +0200
+
+apache-log4j1.2 (1.2.17-8) unstable; urgency=medium
+
+  * No longer attempt to install the javadoc jar (Closes: #879251)
+  * Relocated the log4j:log4j:debian artifact to log4j:log4j:1.2.x
+  * Build with the DH sequencer instead of CDBS
+  * Fixed a typo in the doc-base title
+  * Moved the package to Git
+  * Standards-Version updated to 4.1.1
+  * Switch to debhelper level 10
+  * Refreshed debian/copyright
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Sun, 22 Oct 2017 00:55:53 +0200
 
 apache-log4j1.2 (1.2.17-7) unstable; urgency=medium
 
@@ -18,18 +53,6 @@
 
  -- Markus Koschany <apo@debian.org>  Tue, 17 Nov 2015 18:22:37 +0100
 
-apache-log4j1.2 (1.2.17-6ubuntu1) wily; urgency=low
-
-  * Merge from Debian unstable.  Remaining changes:
-    - d/{rules,control}: Remove dependency on bnd and don't add
-      OSGi headers to jar file.
-    - d/liblog4j1.2.manifest,control,rules: Add OSGi manifest for log4j
-      using javahelper.
-    - d/control,rules: Switch libmail-java -> libgnumail-java to avoid
-      Maven in Ubuntu main.
-
- -- James Page <james.page@ubuntu.com>  Wed, 08 Jul 2015 15:48:09 +0100
-
 apache-log4j1.2 (1.2.17-6) unstable; urgency=medium
 
   * Team upload.
@@ -37,18 +60,6 @@
 
  -- Hilko Bengen <bengen@debian.org>  Tue, 07 Jul 2015 00:47:09 +0200
 
-apache-log4j1.2 (1.2.17-5ubuntu1) vivid; urgency=low
-
-  * Merge from Debian unstable.  Remaining changes:
-    - d/{rules,control}: Remove dependency on bnd and don't add
-      OSGi headers to jar file.
-    - d/liblog4j1.2.manifest,control,rules: Add OSGi manifest for log4j
-      using javahelper.
-    - d/control,rules: Switch libmail-java -> libgnumail-java to avoid
-      Maven in Ubuntu main.
-
- -- James Page <james.page@ubuntu.com>  Fri, 05 Dec 2014 14:21:01 +0000
-
 apache-log4j1.2 (1.2.17-5) unstable; urgency=medium
 
   * Team upload.
@@ -64,27 +75,6 @@
 
  -- Emmanuel Bourg <ebourg@apache.org>  Tue, 30 Sep 2014 14:26:42 +0200
 
-apache-log4j1.2 (1.2.17-4ubuntu3) trusty; urgency=medium
-
-  * d/liblog4j1.2.manifest: Add missing Bundle-SymbolicName to manifest.
-
- -- James Page <james.page@ubuntu.com>  Tue, 25 Mar 2014 09:26:51 +0000
-
-apache-log4j1.2 (1.2.17-4ubuntu2) trusty; urgency=medium
-
-  * d/liblog4j1.2.manifest,control,rules: Add OSGi manifest for log4j using
-    javahelper (LP: #894302).
-
- -- James Page <james.page@ubuntu.com>  Mon, 03 Mar 2014 10:56:35 +0000
-
-apache-log4j1.2 (1.2.17-4ubuntu1) trusty; urgency=low
-
-  * Merge from Debian unstable (LP: #1246295).  Remaining changes:
-    - d/{rules,control}: Remove dependency on bnd and don't add
-      OSGi headers to jar file.
-
- -- Yolanda Robla <yolanda.robla@canonical.com>  Tue, 30 Oct 2013 13:41:00 +0100
-
 apache-log4j1.2 (1.2.17-4) unstable; urgency=low
 
   * Removed the dependency on libjboss-jmx-java since javax.management
@@ -94,16 +84,6 @@
 
  -- Emmanuel Bourg <ebourg@apache.org>  Tue, 27 Aug 2013 09:52:20 +0200
 
-apache-log4j1.2 (1.2.17-3ubuntu1) saucy; urgency=low
-
-  * Merge from Debian unstable.  Remaining changes:
-    - d/control: Depend on libmx4j-java (main) instead of
-      libjboss-jmx-java (universe).
-    - d/{rules,control}: Remove dependency on bnd and don't add
-      OSGi headers to jar file.
-
- -- James Page <james.page@ubuntu.com>  Thu, 11 Jul 2013 11:29:55 +0100
-
 apache-log4j1.2 (1.2.17-3) unstable; urgency=low
 
   * Removed the dependency on the Activation Framework (libgnujaf-java)
@@ -112,16 +92,6 @@
 
  -- Emmanuel Bourg <ebourg@apache.org>  Thu, 16 May 2013 14:46:43 +0200
 
-apache-log4j1.2 (1.2.17-2ubuntu1) saucy; urgency=low
-
-  * Merge from Debian unstable.  Remaining changes:
-    - d/control: Depend on libmx4j-java (main) instead of
-      libjboss-jmx-java (universe).
-    - d/{rules,control}: Remove dependency on bnd and don't add
-      OSGi headers to jar file.
-
- -- James Page <james.page@ubuntu.com>  Mon, 13 May 2013 09:57:05 +0100
-
 apache-log4j1.2 (1.2.17-2) unstable; urgency=low
 
   * Team upload.
@@ -142,22 +112,6 @@
 
  -- Emmanuel Bourg <ebourg@apache.org>  Tue, 02 Apr 2013 15:23:23 +0200
 
-apache-log4j1.2 (1.2.16-3ubuntu2) quantal; urgency=low
-
-  * No-change rebuild with openjdk-7 as default-jdk.
-
- -- James Page <james.page@ubuntu.com>  Fri, 18 May 2012 11:33:24 +0100
-
-apache-log4j1.2 (1.2.16-3ubuntu1) precise; urgency=low
-
-  * Merge from Debian testing (LP: #922890).  Remaining changes:
-    - d/control: Depend on libmx4j-java (main) instead of
-      libjboss-jmx-java (universe).
-    - d/{rules,control}: Remove dependency on bnd and don't add
-      OSGi headers to jar file.
-
- -- James Page <james.page@ubuntu.com>  Thu, 09 Feb 2012 16:28:22 +0000
-
 apache-log4j1.2 (1.2.16-3) unstable; urgency=low
 
   * Add Bundle-SymbolicName to jar manifest
@@ -168,23 +122,6 @@
 
  -- Jakub Adam <jakub.adam@ktknet.cz>  Sun, 27 Nov 2011 19:01:34 +0100
 
-apache-log4j1.2 (1.2.16-2ubuntu2) precise; urgency=low
-
-  * d/control: Really Depend on libmx4j-java (main) instead of
-    libjboss-jmx-java (universe) to keep log4j in main.
-
- -- James Page <james.page@ubuntu.com>  Thu, 24 Nov 2011 11:53:42 +0000
-
-apache-log4j1.2 (1.2.16-2ubuntu1) precise; urgency=low
-
-  * Updates to retain log4j in Ubuntu main:
-    - d/control: Depend on libmx4j-java (main) instead of
-      libjboss-jmx-java (universe).
-    - d/{rules,control}: Remove dependency on bnd and don't add
-      OSGi headers to jar file.
-
- -- James Page <james.page@ubuntu.com>  Thu, 24 Nov 2011 09:39:36 +0000
-
 apache-log4j1.2 (1.2.16-2) unstable; urgency=low
 
   [ Ludovic Claude ]
@@ -451,4 +388,3 @@
   * New package for version 1.2 of the log4j API. (closes: #188708)
 
  -- Benoit Joly <benoit@debian.org>  Thu, 10 Apr 2003 00:03:47 -0400
-
diff -Nru apache-log4j1.2-1.2.17/debian/clean apache-log4j1.2-1.2.17/debian/clean
--- apache-log4j1.2-1.2.17/debian/clean	1970-01-01 00:00:00.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/clean	2020-05-02 14:46:05.000000000 +0000
@@ -0,0 +1,2 @@
+docs/
+log4j-*.jar
diff -Nru apache-log4j1.2-1.2.17/debian/compat apache-log4j1.2-1.2.17/debian/compat
--- apache-log4j1.2-1.2.17/debian/compat	2015-11-17 22:43:26.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/compat	2020-05-02 14:46:05.000000000 +0000
@@ -1 +1 @@
-9
+10
diff -Nru apache-log4j1.2-1.2.17/debian/control apache-log4j1.2-1.2.17/debian/control
--- apache-log4j1.2-1.2.17/debian/control	2016-03-07 14:58:20.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/control	2022-01-10 14:36:26.000000000 +0000
@@ -3,28 +3,29 @@
 Priority: optional
 Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
 XSBC-Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
-Uploaders: Varun Hiremath <varun@debian.org>,
-           Torsten Werner <twerner@debian.org>,
-           Ludovic Claude <ludovic.claude@laposte.net>,
-           Jakub Adam <jakub.adam@ktknet.cz>,
-           Emmanuel Bourg <ebourg@apache.org>
-Build-Depends: ant,
-               cdbs,
-               debhelper (>= 9),
-               default-jdk,
-               default-jdk-doc,
-               javahelper,
-               libgnumail-java,
-               maven-repo-helper
-Standards-Version: 3.9.6
-Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/apache-log4j1.2
-Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-java/trunk/apache-log4j1.2
+Uploaders:
+ Varun Hiremath <varun@debian.org>,
+ Torsten Werner <twerner@debian.org>,
+ Ludovic Claude <ludovic.claude@laposte.net>,
+ Jakub Adam <jakub.adam@ktknet.cz>,
+ Emmanuel Bourg <ebourg@apache.org>
+Build-Depends:
+ ant,
+ bnd (>= 2.1.0),
+ debhelper (>= 10),
+ default-jdk,
+ default-jdk-doc,
+ libmail-java,
+ maven-repo-helper
+Standards-Version: 4.1.1
+Vcs-Git: https://anonscm.debian.org/git/pkg-java/apache-log4j1.2.git
+Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/apache-log4j1.2.git
 Homepage: http://logging.apache.org/log4j/1.2/
 
 Package: liblog4j1.2-java
 Architecture: all
 Depends: ${misc:Depends}
-Suggests: libgnumail-java, liblog4j1.2-java-doc
+Suggests: liblog4j1.2-java-doc, libmail-java
 Description: Logging library for java
  log4j is a tool to help the programmer output log statements to a variety of
  output targets.
diff -Nru apache-log4j1.2-1.2.17/debian/copyright apache-log4j1.2-1.2.17/debian/copyright
--- apache-log4j1.2-1.2.17/debian/copyright	2015-11-17 22:43:26.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/copyright	2020-05-02 14:46:05.000000000 +0000
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: Apache Log4j
 Source: http://logging.apache.org/log4j/1.2/download.html
 
@@ -9,11 +9,20 @@
 
 Files: debian/*
 Copyright: 2003-2004, Benoit Joly <benoit@debian.org>
-           2005-2007, Kalle Kivimaa <killer@debian.org>
+           2004-2006, Kalle Kivimaa <killer@debian.org>
            2005-2007, Wolfgang Baer <WBaer@gmx.de>
-           2007, Michael Koch <konqueror@gmx.de>
+           2006-2008, Matthias Klose <doko@debian.org>
+           2007-2010, Michael Koch <konqueror@gmx.de>
            2007, Varun Hiremath <varunhiremath@gmail.com>
            2007-2008, Kumar Appaiah <akumar@ee.iitm.ac.in>
+           2009-2011, Ludovic Claude <ludovic.claude@laposte.net>
+           2009-2011, Torsten Werner <twerner@debian.org>
+           2010, Gabriele Giacone <1o5g4r8o@gmail.com>
+           2011, Jakub Adam <jakub.adam@ktknet.cz>
+           2013, tony mancill <tmancill@debian.org>
+           2015, Hilko Bengen <bengen@debian.org>
+           2015, Markus Koschany <apo@debian.org>
+           2013-2017, Emmanuel Bourg <ebourg@apache.org>
 License: Apache-2.0
 
 License: Apache-2.0
diff -Nru apache-log4j1.2-1.2.17/debian/liblog4j1.2-java-doc.doc-base apache-log4j1.2-1.2.17/debian/liblog4j1.2-java-doc.doc-base
--- apache-log4j1.2-1.2.17/debian/liblog4j1.2-java-doc.doc-base	2015-11-17 22:43:26.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/liblog4j1.2-java-doc.doc-base	2020-05-02 14:46:05.000000000 +0000
@@ -1,5 +1,5 @@
 Document: liblog4j1.2-java-doc
-Title: Documenation for log4j 1.2
+Title: Documentation for log4j 1.2
 Author: The Apache log4j team
 Abstract: This is the documentation for log4j, a logging library
  for java. The documentation includes the javadoc API.
diff -Nru apache-log4j1.2-1.2.17/debian/liblog4j1.2-java.manifest apache-log4j1.2-1.2.17/debian/liblog4j1.2-java.manifest
--- apache-log4j1.2-1.2.17/debian/liblog4j1.2-java.manifest	2014-03-25 09:25:45.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/liblog4j1.2-java.manifest	1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-/usr/share/java/log4j-1.2.jar:
- Bundle-SymbolicName: org.apache.log4j
- Bundle-ManifestVersion: 2
- Bundle-Name: Apache Log4j
- Bundle-Version: 1.2.17
- Bundle-Vendor: Apache Software Foundation
- Bundle-License: http://www.apache.org/licenses/LICENSE-2.0.txt
- Export-Package: org.apache.log4j.net;uses:="org.apache.log4j,org.apache.log4j.spi,javax.mail,org.apache.log4j.helpers,org.apache.log4j.xml,javax.mail.internet",org.apache.log4j.jmx;uses:="org.apache.log4j,javax.management,org.apache.log4j.helpers,org.apache.log4j.spi",org.apache.log4j.jdbc;uses:="org.apache.log4j,org.apache.log4j.spi",org.apache.log4j.config;uses:="org.apache.log4j.helpers,org.apache.log4j,org.apache.log4j.spi",org.apache.log4j.helpers;uses:="org.apache.log4j,org.apache.log4j.spi",org.apache.log4j;uses:="org.apache.log4j.spi,org.apache.log4j.helpers,org.apache.log4j.or,org.apache.log4j.config",org.apache.log4j.nt;uses:="org.apache.log4j.helpers,org.apache.log4j,org.apache.log4j.spi",org.apache.log4j.or.sax;uses:="org.apache.log4j.or",org.apache.log4j.spi;uses:="org.apache.log4j,org.apache.log4j.helpers,com.ibm.uvm.tools,org.apache.log4j.or",org.apache.log4j.or;uses:="org.apache.log4j.helpers,org.apache.log4j.spi,org.apache.log4j",org.apache.log4j.xml;uses:="org.apache.log4j.config,org.apache.log4j.helpers,org.apache.log4j,org.apache.log4j.spi,org.apache.log4j.or",org.apache.log4j.varia;uses:="org.apache.log4j.spi,org.apache.log4j,org.apache.log4j.helpers"
- Import-Package: com.ibm.uvm.tools;resolution:=optional,javax.mail;resolution:=optional,javax.mail.internet;resolution:=optional,javax.management;resolution:=optional,javax.naming;resolution:=optional,javax.swing;resolution:=optional,javax.swing.border;resolution:=optional,javax.swing.event;resolution:=optional,javax.swing.table;resolution:=optional,javax.swing.text;resolution:=optional,javax.swing.tree;resolution:=optional
diff -Nru apache-log4j1.2-1.2.17/debian/liblog4j1.2-java.poms apache-log4j1.2-1.2.17/debian/liblog4j1.2-java.poms
--- apache-log4j1.2-1.2.17/debian/liblog4j1.2-java.poms	2015-11-17 22:43:26.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/liblog4j1.2-java.poms	2020-05-02 14:46:05.000000000 +0000
@@ -1,2 +1 @@
-pom.xml --has-package-version --java-lib --usj-name=log4j-1.2 --artifact=dist/lib/log4j-*.jar
-dist/lib/log4j.javadoc.pom --has-package-version --artifact=dist/lib/log4j.javadoc.jar --classifier=javadoc --ignore-pom --package=liblog4j-1.2-java-doc
+pom.xml --has-package-version --java-lib --usj-name=log4j-1.2 --artifact=dist/lib/log4j-*.jar --relocate=log4j:log4j:debian
diff -Nru apache-log4j1.2-1.2.17/debian/patches/0002-Disable-JNDI-by-default.patch apache-log4j1.2-1.2.17/debian/patches/0002-Disable-JNDI-by-default.patch
--- apache-log4j1.2-1.2.17/debian/patches/0002-Disable-JNDI-by-default.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/patches/0002-Disable-JNDI-by-default.patch	2022-01-10 14:36:23.000000000 +0000
@@ -0,0 +1,57 @@
+From 39b0d64d6e4c72b41eb08bebcf24f2ca861574ec Mon Sep 17 00:00:00 2001
+From: Mikolaj Izdebski <mizdebsk@redhat.com>
+Date: Wed, 15 Dec 2021 16:02:07 +0100
+Subject: [PATCH 2/2] Disable JNDI by default
+
+JNDI, which is used by JMS appender, has significant security issues.
+It is safer for users to disable JMS appender by default,
+especially since the large majority are unlikely to be using it.
+Those who are will need to explicitly enable it, for example:
+
+    log4j.appender.jms=org.apache.log4j.net.JMSAppender
+    log4j.appender.jms.Enabled=true
+
+This is a simillar approach to the one implemented in Log4J 2:
+https://issues.apache.org/jira/browse/LOG4J2-3208
+---
+ .../java/org/apache/log4j/net/JMSAppender.java    | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- apache-log4j1.2-1.2.17.orig/src/main/java/org/apache/log4j/net/JMSAppender.java
++++ apache-log4j1.2-1.2.17/src/main/java/org/apache/log4j/net/JMSAppender.java
+@@ -101,6 +101,7 @@ import java.util.Properties;
+    @author Ceki G&uuml;lc&uuml; */
+ public class JMSAppender extends AppenderSkeleton {
+ 
++  boolean enabled;
+   String securityPrincipalName;
+   String securityCredentials;
+   String initialContextFactoryName;
+@@ -120,6 +121,16 @@ public class JMSAppender extends Appende
+   JMSAppender() {
+   }
+ 
++  public
++  void setEnabled(boolean enabled) {
++    this.enabled = enabled;
++  }
++
++  public
++  boolean getEnabled() {
++    return enabled;
++  }
++
+   /**
+      The <b>TopicConnectionFactoryBindingName</b> option takes a
+      string value. Its value will be used to lookup the appropriate
+@@ -170,6 +181,10 @@ public class JMSAppender extends Appende
+    *  Options are activated and become effective only after calling
+    *  this method.*/
+   public void activateOptions() {
++    if (!enabled) {
++      throw new IllegalStateException("JMS appender is disabled by default and must be enabled by setting Enabled=true property of the appender");
++    }
++
+     TopicConnectionFactory  topicConnectionFactory;
+ 
+     try {
diff -Nru apache-log4j1.2-1.2.17/debian/patches/CVE-2019-17571.patch apache-log4j1.2-1.2.17/debian/patches/CVE-2019-17571.patch
--- apache-log4j1.2-1.2.17/debian/patches/CVE-2019-17571.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/patches/CVE-2019-17571.patch	2020-05-02 14:46:05.000000000 +0000
@@ -0,0 +1,125 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 12 Jan 2020 19:55:12 +0100
+Subject: CVE-2019-17571
+
+Bug-Debian: https://bugs.debian.org/947124
+Origin: https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master
+---
+ .../apache/log4j/FilteredObjectInputStream.java    | 65 ++++++++++++++++++++++
+ src/main/java/org/apache/log4j/net/SocketNode.java | 17 +++++-
+ 2 files changed, 80 insertions(+), 2 deletions(-)
+ create mode 100644 src/main/java/org/apache/log4j/FilteredObjectInputStream.java
+
+diff --git a/src/main/java/org/apache/log4j/FilteredObjectInputStream.java b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java
+new file mode 100644
+index 0000000..b9ef20c
+--- /dev/null
++++ b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java
+@@ -0,0 +1,65 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache license, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the license for the specific language governing permissions and
++ * limitations under the license.
++ */
++package org.apache.log4j;
++
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.InvalidObjectException;
++import java.io.ObjectInputStream;
++import java.io.ObjectStreamClass;
++import java.util.Arrays;
++import java.util.Collection;
++import java.util.List;
++
++/**
++ * Extended ObjectInputStream that only allows certain classes to be deserialized.
++ *
++ * Backported from 2.8.2
++ */
++public class FilteredObjectInputStream extends ObjectInputStream {
++
++    private static final List REQUIRED_JAVA_CLASSES = Arrays.asList(new String[] {
++        // Types of non-trainsient fields of LoggingEvent
++        "java.lang.String",
++        "java.util.Hashtable",
++        // ThrowableInformation
++        "[Ljava.lang.String;"
++    });
++
++    private final Collection allowedClasses;
++
++    public FilteredObjectInputStream(final InputStream in, final Collection allowedClasses) throws IOException {
++        super(in);
++        this.allowedClasses = allowedClasses;
++    }
++
++    protected Class resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
++        String name = desc.getName();
++        if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) {
++            throw new InvalidObjectException("Class is not allowed for deserialization: " + name);
++        }
++        return super.resolveClass(desc);
++    }
++
++    private static boolean isAllowedByDefault(final String name) {
++        return name.startsWith("org.apache.log4j.") ||
++            name.startsWith("[Lorg.apache.log4j.") ||
++            REQUIRED_JAVA_CLASSES.contains(name);
++    }
++
++}
+diff --git a/src/main/java/org/apache/log4j/net/SocketNode.java b/src/main/java/org/apache/log4j/net/SocketNode.java
+index e977f13..f95bb10 100644
+--- a/src/main/java/org/apache/log4j/net/SocketNode.java
++++ b/src/main/java/org/apache/log4j/net/SocketNode.java
+@@ -22,6 +22,10 @@ import java.io.IOException;
+ import java.io.InterruptedIOException;
+ import java.io.ObjectInputStream;
+ import java.net.Socket;
++import java.util.ArrayList;
++import java.util.Arrays;
++import java.util.Collection;
++import org.apache.log4j.FilteredObjectInputStream;
+ 
+ import org.apache.log4j.Logger;
+ import org.apache.log4j.spi.LoggerRepository;
+@@ -53,8 +57,9 @@ public class SocketNode implements Runnable {
+     this.socket = socket;
+     this.hierarchy = hierarchy;
+     try {
+-      ois = new ObjectInputStream(
+-                         new BufferedInputStream(socket.getInputStream()));
++      ois = new FilteredObjectInputStream(
++                         new BufferedInputStream(socket.getInputStream()),
++                         getAllowedClasses());
+     } catch(InterruptedIOException e) {
+       Thread.currentThread().interrupt();
+       logger.error("Could not open ObjectInputStream to "+socket, e);
+@@ -65,6 +70,14 @@ public class SocketNode implements Runnable {
+     }
+   }
+ 
++  private Collection getAllowedClasses() {
++      Collection allowedClasses = new ArrayList();
++      String property = System.getProperty("org.apache.log4j.net.allowedClasses");
++      if (property != null)
++          allowedClasses.addAll(Arrays.asList(property.split(",")));
++      return allowedClasses;
++  }
++
+   //public
+   //void finalize() {
+   //System.err.println("-------------------------Finalize called");
diff -Nru apache-log4j1.2-1.2.17/debian/patches/series apache-log4j1.2-1.2.17/debian/patches/series
--- apache-log4j1.2-1.2.17/debian/patches/series	2015-11-17 22:43:26.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/patches/series	2022-01-10 14:36:23.000000000 +0000
@@ -2,3 +2,5 @@
 
 remove-activation-framework-dependency.patch
 add-missing-classes.patch
+CVE-2019-17571.patch
+0002-Disable-JNDI-by-default.patch
diff -Nru apache-log4j1.2-1.2.17/debian/rules apache-log4j1.2-1.2.17/debian/rules
--- apache-log4j1.2-1.2.17/debian/rules	2016-03-07 14:58:35.000000000 +0000
+++ apache-log4j1.2-1.2.17/debian/rules	2020-05-02 14:46:05.000000000 +0000
@@ -1,31 +1,22 @@
 #!/usr/bin/make -f
 
-include /usr/share/cdbs/1/rules/debhelper.mk
-include /usr/share/cdbs/1/class/javahelper.mk
-include /usr/share/cdbs/1/class/ant.mk
-
-PACKAGE   := $(DEB_SOURCE_PACKAGE)
-VERSION   := $(DEB_UPSTREAM_VERSION)
-JAVA_HOME := /usr/lib/jvm/default-java
-ANT_HOME  := /usr/share/ant
-DEB_JARS  := gnumail
-DEB_ANT_BUILD_TARGET := jar javadoc
-DEB_ANT_ARGS := -Dversion=$(VERSION)
-
-clean::
-	-$(RM) -r docs
-	-rm -rf debian/tmp
-	rm -Rf debian/liblog4j-1.2-java-doc/*
-	rm -Rf debian/log4j-${VERSION}.bar
-	mh_clean
-
-common-build-indep::
-	cp pom.xml dist/lib/log4j.javadoc.pom
-	jar cvf dist/lib/log4j.javadoc.jar -C docs/api/ .
-
-install/liblog4j1.2-java::
-	$(RM) dist/lib/log4j-*-sources.jar
-	mh_install
+VERSION   := 1.2.17
+
+%:
+	dh $@ --with maven-repo-helper
+
+override_dh_auto_build:
+	dh_auto_build -- jar javadoc -Djavamail.jar=/usr/share/java/javax.mail.jar
+
+	cat debian/log4j.bnd | sed s/VERSION/$(VERSION)/ > debian/.log4j-versioned.bnd
+	java -jar /usr/share/java/bnd.jar wrap --properties debian/.log4j-versioned.bnd dist/lib/log4j-$(VERSION).jar
+	java -jar /usr/share/java/bnd.jar wrap --properties debian/.log4j-versioned.bnd \
+		--classpath /usr/share/java/javax.mail.jar \
+		--output log4j.jar dist/lib/log4j-$(VERSION).jar
+	rm debian/.log4j-versioned.bnd dist/lib/log4j-$(VERSION).jar
+	mv log4j.jar dist/lib/log4j-$(VERSION).jar
+
+	rm dist/lib/log4j-*-sources.jar
 
 get-orig-source:
-	-uscan --download-version $(DEB_UPSTREAM_VERSION) --force-download
+	-uscan --download-current-version --force-download