Debian Security Advisory

DLA-2211-1 log4net -- LTS security update

Date Reported:
15 May 2020
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2018-1285.
More information:

It was discovered that there was an XML external entity vulnerability in log4net, a logging API for the ECMA Common Language Infrastructure (CLI), sometimes referred to as "Mono".

  • CVE-2018-1285

    Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.

For Debian 8 Jessie, these problems have been fixed in version 1.2.10+dfsg-6+deb8u1.

We recommend that you upgrade your log4net packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: