Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package log4net for openSUSE:Factory checked 
in at 2022-09-08 14:21:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/log4net (Old)
 and      /work/SRC/openSUSE:Factory/.log4net.new.2083 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "log4net"

Thu Sep  8 14:21:37 2022 rev:20 rq:1001681 version:1.2.10

Changes:
--------
--- /work/SRC/openSUSE:Factory/log4net/log4net.changes  2018-03-26 
13:03:48.639733926 +0200
+++ /work/SRC/openSUSE:Factory/.log4net.new.2083/log4net.changes        
2022-09-08 14:21:54.722427789 +0200
@@ -1,0 +2,6 @@
+Wed Sep  7 02:34:56 UTC 2022 - Yifan Jiang <yfji...@suse.com>
+
+- Add patch to fix CVE-2018-1285 (bsc#1172193):
+  * log4net-fix-CVE-2018-1285.patch
+
+-------------------------------------------------------------------

New:
----
  log4net-fix-CVE-2018-1285.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ log4net.spec ++++++
--- /var/tmp/diff_new_pack.7YcWjb/_old  2022-09-08 14:21:55.190428869 +0200
+++ /var/tmp/diff_new_pack.7YcWjb/_new  2022-09-08 14:21:55.198428887 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package log4net
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -26,6 +26,8 @@
 Source:         incubating-log4net-1.2.10.zip
 Source1:        log4net.key
 Source2:        log4net.pc
+# PATCH-FIX-UPSTREAM log4net-fix-CVE-2018-1285.patch bsc#1172193 
yfji...@suse.com -- Fix the vulnerability by not allowing dtd processing
+Patch1:         log4net-fix-CVE-2018-1285.patch
 BuildRequires:  mono-basic
 BuildRequires:  mono-data-sqlite
 BuildRequires:  mono-devel
@@ -41,6 +43,7 @@
 
 %prep
 %setup -q -c
+%patch1 -p1
 sed -i "s|@VERSION@|%{version}|" %{SOURCE2}
 #=============================================================================
 


++++++ log4net-fix-CVE-2018-1285.patch ++++++
>From d0b4b0157d4af36b23c24a23739c47925c3bd8d7 Mon Sep 17 00:00:00 2001
From: Dominik Psenner <dpsen...@apache.org>
Date: Tue, 12 Sep 2017 09:15:08 +0200
Subject: [PATCH] XmlConfigurator: do longer allow dtd processing across all
 platforms (LOG4NET-575)

This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The 
security
vulnerability was found in the way how log4net parses xml configuration files 
where it
allowed to process XML External Entity Processing. An attacker could use this 
as an
attack vector if he could modify the XML configuration file.
---
 src/Config/XmlConfigurator.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: log4net-1.2.10/log4net-1.2.10/src/Config/XmlConfigurator.cs
===================================================================
--- log4net-1.2.10.orig/log4net-1.2.10/src/Config/XmlConfigurator.cs
+++ log4net-1.2.10/log4net-1.2.10/src/Config/XmlConfigurator.cs
@@ -621,7 +621,7 @@ namespace log4net.Config
 #elif NET_2_0
                                        // Allow the DTD to specify entity 
includes
                                        XmlReaderSettings settings = new 
XmlReaderSettings();
-                                       settings.ProhibitDtd = false;
+                                       settings.ProhibitDtd = true;
 
                                        // Create a reader over the input stream
                                        XmlReader xmlReader = 
XmlReader.Create(configStream, settings);

Reply via email to