Oh right, I think I mixed that up with something else. That CVE only affects downstream users who accept arbitrary user input for their log4net config file (which seems like a security nightmare no matter what).
On Wed, 26 Aug 2020 at 10:12, Davyd McColl <dav...@gmail.com> wrote: > > Hi > > Matt, I don't think that CVE is fixed in 2.0.9. I originally tracked down a > commit in the develop branch which had the change in it, and I'm quite sure > that commit was never brought into the 2.0.9 release. The changes I made on > that branch were all around build, simply to try to get the project alive > again. I noticed that the version had already been bumped to 2.0.9, so was ok > with an initial resurrection release coming out with no further changes. > > I didn't know about this CVE until it was raised a little while ago, and I > tracked down a matching commit in the develop branch. Last I remember, I > proposed completing the 2.0.9 release with the dormant changes that were on > the master branch as I forked, and that I would tackle this fix in 2.0.10 as > soon as we got 2.0.9 out the door and I knew more about the release process. > > If I can figure out what I need to do to update the release site, that's > (hopefully) the last piece of the puzzle, and I can get started on a quick > 2.0.10 release which addresses the CVE. > > -d > > On 2020/08/26 17:05:06, Matt Sicker <boa...@gmail.com> wrote: > Yes, that release fixes the CVE. I still need to submit an update to > Mitre about that. > > On Wed, 26 Aug 2020 at 09:52, #CircusLogic > wrote: > > > > Team - > > > > The latest that I read about log4net.dll is that it is dormant as of 2017 > > and the latest version was 2.0.8. > > > > But then I read that there is now a version 2.0.9. What is in 2.0.9? Is a > > fix for CVE-2018-1285 included? > > > > Thanks, > > CL > > > > -- > Matt Sicker -- Matt Sicker <boa...@gmail.com>
