Bug 26608 - log4net new security issue CVE-2018-1285
Summary: log4net new security issue CVE-2018-1285
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-05-11 15:39 CEST by David Walser
Modified: 2020-05-27 11:54 CEST (History)
4 users (show)

See Also:
Source RPM: log4net-2.0.8-3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-05-11 15:39:18 CEST 
Apache has issued an advisory on May 10:
https://www.openwall.com/lists/oss-security/2020/05/10/1

There is no fix, only a mitigation, and this is dead abandoned software.

Mageia 7 is also affected.
David Walser 2020-05-11 15:39:34 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => No fix available as of May 2020

Comment 1 David Walser 2020-05-20 04:05:33 CEST 
Debian-LTS has issued an advisory for this on May 15:
https://www.debian.org/lts/security/2020/dla-2211

They seem to think this is a fix:
https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7

Status comment: No fix available as of May 2020 => Possible fix upstream

Nicolas Lécureuil 2020-05-22 14:32:01 CEST

CC: (none) => mageia
Version: Cauldron => 7
Status comment: Possible fix upstream => (none)
Whiteboard: MGA7TOO => (none)

Comment 2 Nicolas Lécureuil 2020-05-22 14:35:03 CEST 
Advisory:

This update fixes CVE-2018-1285.
This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security vulnerability was found in the way how log4net parses xml configuration files where it allowed to process XML External Entity Processing. An attacker could use this as an attack vector if he could modify the XML configuration file.

References:
https://www.debian.org/lts/security/2020/dla-2211
https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7

rpms:
log4net-2.0.8-2.1.mga7
log4net-devel-2.0.8-2.1.mga7
from:
log4net-2.0.8-2.1.mga7

Assignee: java => qa-bugs

Comment 3 Herman Viaene 2020-05-24 14:04:25 CEST 
MGA7-64 Plasma on Lenovo B50
No installation isssues.
Previous update was bug 4816 from 2006.
Googled anf found a.o. https://stackify.com/log4net-guide-dotnet-logging/
This is pure developers stuff. I propose to OK on clean install if the higher powers agree.

CC: (none) => herman.viaene

Comment 4 David Walser 2020-05-24 14:41:57 CEST 
Yeah, clean upgrade is sufficient.
Herman Viaene 2020-05-24 16:39:54 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-05-26 03:34:32 CEST 
Thank you Herman, David. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-05-27 11:07:09 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-05-27 11:54:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0233.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.