Am Mon, Jan 11, 2021 at 10:54:27AM +0800 schrieb Mirco Bauer: > Thanks for your email and raised concern, Jeremy. > > Full accessibility in Smuxi has been a high priority for me for a long > time. > > I looked into the vulnerability of the log4net library that Smuxi depends > on. my assessment doesn't classify a XXE for local configuration file as > release critical. An attacker would need to have write access to the > configuration file to exploit it. It that point a XXE is pointless, he can > just execute curl, wget, perl, python or write something to ~/.bashrc > directly. > Having identified the offending code the fix is a one line change on the > other hand. I plan to upload a fixed version of log4net in the coming days.
What's the status of that upload? Patch is at https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7 Cheers, Moritz