Log4net
  1. Log4net
  2. LOG4NET-67

CVE-2006-0743 Security vulnerability in LocalSyslogAppender

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.2.9
    • Fix Version/s: 1.2.10
    • Component/s: Appenders
    • Labels:
      None

      Description

      Reported by Sebastian Krahmer to security@apache.org
      Logged as CVE-2006-0743

      The LocalSyslogAppender contains a vulnerability which could lead to memory corruption within the runtime process. This is likely to cause the application using the LocalSyslogAppender to terminate unexpectedly. In addition to a deliberate denial of service attack this fault may be caused by logging legitimate data therefore the LocalSyslogAppender must not be used even within secured environments.

      Current users of the LocalSyslogAppender (from the log4net 1.2.9 release) should update their logging configuration to remove references to the LocalSyslogAppender. Alternatively users can build a new version of the log4net assembly from the head of the source code repository where this fault has been fixed.

        Activity

        Nicko Cadell created issue -
        Hide
        Nicko Cadell added a comment -

        Fix checked in

        Show
        Nicko Cadell added a comment - Fix checked in
        Nicko Cadell made changes -
        Field Original Value New Value
        Resolution Fixed [ 1 ]
        Status Open [ 1 ] Resolved [ 5 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        2m 19s 1 Nicko Cadell 08/Mar/06 00:50

          People

          • Assignee:
            Nicko Cadell
            Reporter:
            Nicko Cadell
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development