Debian Patches
Status for log4net/1.2.10+dfsg-10
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fix_XXE_CVE-2018-1285 | fix_XXE_CVE-2018-1285 =================================================================== |
"Debian .NET Team" <debian-cli@lists.debian.org> | no | 2026-05-22 | ||
| 0002-fix-XmlLayout-invalid-character-handling-CVE-2026-40.patch | fix XmlLayout invalid character handling (CVE-2026-40021) Both XmlLayout and XmlLayoutSchemaLog4j write log event fields as XML attributes without sanitizing characters forbidden by XML 1.0. An attacker controlling log fields such as logger name, thread name, MDC property keys/values, or identity field can inject characters like U+0001, causing a serialization exception that silently discards the log event. Backport of upstream fix from PR #280 (merged in log4net 3.3.0): wrap all WriteAttributeString calls on user-controlled fields with Transform.MaskXmlInvalidCharacters() in XMLLayout.cs and XmlLayoutSchemaLog4j.cs. |
James Montgomery <james_montgomery@disroot.org> | no | debian | upstream, https://github.com/apache/logging-log4net/pull/280 | 2026-05-22 |
All known versions for source package 'log4net'
- 1.2.10+dfsg-10 (sid)
- 1.2.10+dfsg-9 (trixie)