Debian Security Advisory
DLA-2211-1 log4net -- LTS security update
- Date Reported:
- 15 May 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2018-1285.
- More information:
It was discovered that there was an XML external entity vulnerability in log4net, a logging API for the ECMA Common Language Infrastructure (CLI), sometimes referred to as "Mono".
Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.
For Debian 8
Jessie, these problems have been fixed in version 1.2.10+dfsg-6+deb8u1.
We recommend that you upgrade your log4net packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS