Log4net
  1. Log4net
  2. LOG4NET-67

CVE-2006-0743 Security vulnerability in LocalSyslogAppender

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.2.9
    • Fix Version/s: 1.2.10
    • Component/s: Appenders
    • Labels:
      None

      Description

      Reported by Sebastian Krahmer to security@apache.org
      Logged as CVE-2006-0743

      The LocalSyslogAppender contains a vulnerability which could lead to memory corruption within the runtime process. This is likely to cause the application using the LocalSyslogAppender to terminate unexpectedly. In addition to a deliberate denial of service attack this fault may be caused by logging legitimate data therefore the LocalSyslogAppender must not be used even within secured environments.

      Current users of the LocalSyslogAppender (from the log4net 1.2.9 release) should update their logging configuration to remove references to the LocalSyslogAppender. Alternatively users can build a new version of the log4net assembly from the head of the source code repository where this fault has been fixed.

        Activity

        Nicko Cadell created issue -
        Hide
        Nicko Cadell added a comment -

        Fix checked in

        Show
        Nicko Cadell added a comment - Fix checked in
        Nicko Cadell made changes -
        Field Original Value New Value
        Resolution Fixed [ 1 ]
        Status Open [ 1 ] Resolved [ 5 ]

          People

          • Assignee:
            Nicko Cadell
            Reporter:
            Nicko Cadell
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development