The fix has been committed for some time now and is available with all branches that I know. You are affected by this CVE if your application consumes configuration files from untrusted sources, especially in dtd statements.
1. You should assert that your deployment does not rely on dtd processing 2. You should not allow your application to consume configuration files from untrusted sources At this point it is actually an optional to build log4net from source and update the library such that it does no longer allow any dtd processing. -- Sent from my phone. Typos are a kind gift to anyone who happens to find them. On Mon, May 25, 2020, 19:04 Andrew Marlow <marlow.age...@gmail.com> wrote: > The project page says: > > As of April 1, 2020 Log4Net is a dormant project of Apache Logging > Services. The dormant status means the project has been classified as > inactive since it has had no recent development activity and there are no > active volunteers to perform code reviews, commit code, or perform > releases. > > The CVE applies to version 2.0.8 and below and since 2.0.8 is the latest > version I think you are going to be out of luck. > > > On Mon, 25 May 2020 at 17:29, Suthish Nair <suthish.s.n...@gmail.com> > wrote: > > > Hi, > > > > Good Day! > > > > Is there any mitigation or vulnerability fix available for .NET Core > > frameworks? > > > > Please let me know. > > > > Regards > > Suthish > > > > > -- > Regards, > > Andrew Marlow > http://www.andrewpetermarlow.co.uk >
