Hi Matt, I don't think that CVE is fixed in 2.0.9. I originally tracked down a commit in the develop branch which had the change in it, and I'm quite sure that commit was never brought into the 2.0.9 release. The changes I made on that branch were all around build, simply to try to get the project alive again. I noticed that the version had already been bumped to 2.0.9, so was ok with an initial resurrection release coming out with no further changes.
I didn't know about this CVE until it was raised a little while ago, and I tracked down a matching commit in the develop branch. Last I remember, I proposed completing the 2.0.9 release with the dormant changes that were on the master branch as I forked, and that I would tackle this fix in 2.0.10 as soon as we got 2.0.9 out the door and I knew more about the release process. If I can figure out what I need to do to update the release site, that's (hopefully) the last piece of the puzzle, and I can get started on a quick 2.0.10 release which addresses the CVE. -d On 2020/08/26 17:05:06, Matt Sicker <boa...@gmail.com> wrote: Yes, that release fixes the CVE. I still need to submit an update to Mitre about that. On Wed, 26 Aug 2020 at 09:52, #CircusLogic wrote: > > Team - > > The latest that I read about log4net.dll is that it is dormant as of 2017 and > the latest version was 2.0.8. > > But then I read that there is now a version 2.0.9. What is in 2.0.9? Is a fix > for CVE-2018-1285 included? > > Thanks, > CL -- Matt Sicker
