Bug 26608

Summary:	log4net new security issue CVE-2018-1285
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, herman.viaene, mageia, sysadmin-bugs
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	log4net-2.0.8-3.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2020-05-11 15:39:18 CEST

Apache has issued an advisory on May 10:
https://www.openwall.com/lists/oss-security/2020/05/10/1

There is no fix, only a mitigation, and this is dead abandoned software.

Mageia 7 is also affected.

David Walser 2020-05-11 15:39:34 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => No fix available as of May 2020

Comment 1 David Walser 2020-05-20 04:05:33 CEST

Debian-LTS has issued an advisory for this on May 15:
https://www.debian.org/lts/security/2020/dla-2211

They seem to think this is a fix:
https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7

Status comment: No fix available as of May 2020 => Possible fix upstream

Nicolas Lécureuil 2020-05-22 14:32:01 CEST

CC: (none) => mageia
Version: Cauldron => 7
Status comment: Possible fix upstream => (none)
Whiteboard: MGA7TOO => (none)

Comment 2 Nicolas Lécureuil 2020-05-22 14:35:03 CEST

Advisory:

This update fixes CVE-2018-1285.
This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security vulnerability was found in the way how log4net parses xml configuration files where it allowed to process XML External Entity Processing. An attacker could use this as an attack vector if he could modify the XML configuration file.

References:
https://www.debian.org/lts/security/2020/dla-2211
https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7

rpms:
log4net-2.0.8-2.1.mga7
log4net-devel-2.0.8-2.1.mga7
from:
log4net-2.0.8-2.1.mga7

Assignee: java => qa-bugs

Comment 3 Herman Viaene 2020-05-24 14:04:25 CEST

MGA7-64 Plasma on Lenovo B50
No installation isssues.
Previous update was bug 4816 from 2006.
Googled anf found a.o. https://stackify.com/log4net-guide-dotnet-logging/
This is pure developers stuff. I propose to OK on clean install if the higher powers agree.

CC: (none) => herman.viaene

Comment 4 David Walser 2020-05-24 14:41:57 CEST

Yeah, clean upgrade is sufficient.

Herman Viaene 2020-05-24 16:39:54 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-05-26 03:34:32 CEST

Thank you Herman, David. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 David Walser 2020-05-27 00:12:51 CEST

Fedora has issued an advisory for this on May 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/

Nicolas Lécureuil 2020-05-27 11:07:09 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-05-27 11:54:01 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0233.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED