Debian Long Term Support / LTS Security Information / 2020 / Security Information -- DLA-2211-1 log4net

Debian Security Advisory

DLA-2211-1 log4net -- LTS security update

Date Reported:

15 May 2020

Affected Packages:

log4net

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-1285.

More information:

It was discovered that there was an XML external entity vulnerability in log4net, a logging API for the ECMA Common Language Infrastructure (CLI), sometimes referred to as "Mono".

• CVE-2018-1285

  Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.

For Debian 8 Jessie, these problems have been fixed in version 1.2.10+dfsg-6+deb8u1.

We recommend that you upgrade your log4net packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS