Looks like it is moot anyway. https://github.com/opensim/opensim/commit/da4d4149f03ad5e1240cc05c04800ad445f7fc81 Ubit may have taken care of it for future releases.
On Wed, Dec 15, 2021 at 6:44 PM Teravus Ovares <tera...@gmail.com> wrote: > I took a look at the CVEs and neither of them apply to OpenSimulator's use > of it out of the box. That's not to say that it is wise, long term, to > keep this version. There are two CVEs.. one is for a version earlier > than the one in OpenSimulator, the second, someone would have to configure > a special log appender that goes to the Linux Syslog. > > Furthermore, if Dependabot had an issue with the library, it would show up > on Pull requests on this project: > https://github.com/opensim/opensim/pulls?q=is%3Aopen+is%3Apr . unless > someone disabled dependabot on the project. it is enabled by default > though. > > In other words... Don't panic. You're still safe. > > On Wed, Dec 15, 2021 at 3:18 PM Cinder Roxley <cin...@alchemyviewer.org> > wrote: > >> >> https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=7281&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=2&sha=f70b070c708ceeabfdce6d62f53aef9c82924571 >> >> -- >> Sent from Canary (https://canarymail.io) >> >> > On Wednesday, Dec 15, 2021 at 5:15 PM, Dahlia Trimble < >> dahliatrim...@gmail.com (mailto:dahliatrim...@gmail.com)> wrote: >> > > Github's Dependabot says very publicly that our Log4Net.dll has an XXE >> > vulnerability. >> > >> > This is eluding my google-fu and I can't find anything about it. Have a >> > link? >> > >> > -D >> > >> > On Wed, Dec 15, 2021 at 10:00 AM Fred Beckhusen <f...@mitsi.com> wrote: >> > >> > > Github's Dependabot says very publicly that our Log4Net.dll has an XXE >> > > vulnerability. That's the issue. >> > > >> > > We don't load Robust.exe.config or Opensim.exe.config with user >> supplied >> > > data, so AFAIK, we don't have a exploitable security issue. But that >> > > may not matter. IT professionals will be much more sensitive to XXE >> > > after their Log4J remediation efforts. >> > > >> > > We all know that the major sponsors of Opensim are Universities. Their >> > > IT departments are under attack. >> > > >> > > ~ Fred >> > > >> > > >> > > _______________________________________________ >> > > Opensim-dev mailing list >> > > Opensim-dev@opensimulator.org >> > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev >> > _______________________________________________ >> > Opensim-dev mailing list >> > Opensim-dev@opensimulator.org >> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev >> _______________________________________________ >> Opensim-dev mailing list >> Opensim-dev@opensimulator.org >> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev >> > _______________________________________________ Opensim-dev mailing list Opensim-dev@opensimulator.org http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev