Apache has issued an advisory on May 10: https://www.openwall.com/lists/oss-security/2020/05/10/1 There is no fix, only a mitigation, and this is dead abandoned software. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => No fix available as of May 2020
Debian-LTS has issued an advisory for this on May 15: https://www.debian.org/lts/security/2020/dla-2211 They seem to think this is a fix: https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7
Status comment: No fix available as of May 2020 => Possible fix upstream
CC: (none) => mageiaVersion: Cauldron => 7Status comment: Possible fix upstream => (none)Whiteboard: MGA7TOO => (none)
Advisory: This update fixes CVE-2018-1285. This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security vulnerability was found in the way how log4net parses xml configuration files where it allowed to process XML External Entity Processing. An attacker could use this as an attack vector if he could modify the XML configuration file. References: https://www.debian.org/lts/security/2020/dla-2211 https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7 rpms: log4net-2.0.8-2.1.mga7 log4net-devel-2.0.8-2.1.mga7 from: log4net-2.0.8-2.1.mga7
Assignee: java => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation isssues. Previous update was bug 4816 from 2006. Googled anf found a.o. https://stackify.com/log4net-guide-dotnet-logging/ This is pure developers stuff. I propose to OK on clean install if the higher powers agree.
CC: (none) => herman.viaene
Yeah, clean upgrade is sufficient.
Whiteboard: (none) => MGA7-64-OK
Thank you Herman, David. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Fedora has issued an advisory for this on May 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0233.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED