|
|
Subscribe / Log in / New account

Mageia alert MGASA-2020-0233 (log4net)



From:
              Mageia Updates <buildsystem-daemon@mageia.org> 


To:
              updates-announce@ml.mageia.org 


Subject:
              [updates-announce] MGASA-2020-0233: Updated log4net packages fix security vulnerability 


Date:
              Wed, 27 May 2020 11:53:48 +0200


Message-ID:
              <20200527095348.0F19F9F6FB@duvel.mageia.org>


MGASA-2020-0233 - Updated log4net packages fix security vulnerability

Publication date: 27 May 2020
URL: https://advisories.mageia.org/MGASA-2020-0233.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2018-1285

Description:
Updated log4net packages fix security vulnerability
This patch fixes a security vulnerabiliy reported by Karthik
Balasundaram. The security vulnerability was found in the way
how log4net parses xml configuration files where it allowed to
process XML External Entity Processing. An attacker could use 
this as an attack vector if he could modify the XML configuration file.

References:
- https://bugs.mageia.org/show_bug.cgi?id=26608
- https://www.debian.org/lts/security/2020/dla-2211
- https://github.com/apache/logging-log4net/commit/d0b4b015...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1285

SRPMS:
- 7/core/log4net-2.0.8-2.1.mga7
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds