Team -
The latest that I read about log4net.dll is that it is dormant as of 2017 and
the latest version was 2.0.8.
But then I read that there is now a version 2.0.9. What is in 2.0.9? Is a fix
for CVE-2018-1285 included?
Thanks,
CL
Yes, that release fixes the CVE. I still need to submit an update to
Mitre about that.
On Wed, 26 Aug 2020 at 09:52, #CircusLogic
wrote:
>
> Team -
>
> The latest that I read about log4net.dll is that it is dormant as of 2017 and
> the latest version was 2.0.8.
>
> But then I read that there is
Hi
Matt, I don't think that CVE is fixed in 2.0.9. I originally tracked down a
commit in the develop branch which had the change in it, and I'm quite sure
that commit was never brought into the 2.0.9 release. The changes I made on
that branch were all around build, simply to try to get the proj
Oh right, I think I mixed that up with something else. That CVE only
affects downstream users who accept arbitrary user input for their
log4net config file (which seems like a security nightmare no matter
what).
On Wed, 26 Aug 2020 at 10:12, Davyd McColl wrote:
>
> Hi
>
> Matt, I don't think that
