Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.
As far as I can see, we are using version 2.0.8 in all supported Fedora releases and in Epel 7 and 8:
We don't have a package in Epel 6.
@Guilherme: you wrote "before 2.0.8", but the Apache issue says "Affected: log4net up to 2.0.8"
Here is the patch that fixes it: https://github.com/apache/logging-log4net/commit/d0b4b01
I will apply this to the packages.
In reply to comment #2:
> @Guilherme: you wrote "before 2.0.8", but the Apache issue says "Affected:
> log4net up to 2.0.8"
> Here is the patch that fixes it:
> I will apply this to the packages.
This is the way it was reported to Mitre. Since the package is affected by this issue I will create Fedora and EPEL trackers for it.
Created log4net tracking bugs for this issue:
Affects: epel-all [bug 1836222]
Affects: fedora-all [bug 1836221]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.