Hi Sorry to not have responded earlier. Time is short and the days are busy. I looked at the diff and found several suspicious changes. Several hundred ifdefs have been removed/replaced along with tests. Therefore I have a bad feeling about those changes without further careful checking. I propose to release the cve fix alone and follow up a second release as soon as someone had the time to verify that the netstandard2 changes are ok.
Best regards -- Sent from my phone. Typos are a kind gift to anyone who happens to find them. On Thu, Sep 10, 2020, 08:48 Davyd McColl <davyd.mcc...@codeo.co.za> wrote: > Hi > > Sorry to be a bother, but I haven't heard anything back on this apart from > Dominik's inquiry into netstandard 1.3 support. I'd really like to get this > out as: > a) it contains the CVE fix that has been asked about so much > b) it solves some issues affecting netstandard users > > Thanks > -d > > On 2020/09/06 20:51:38, Davyd McColl <davyd.mcc...@codeo.co.za> wrote: > Hi all > > I'd like to propose a vote to release 2.0.10 of log4net, with: > - updated netstandard 2.0 support from community member NicholasNoise > - cherry-picked fix for CVE-2018-1285 (I had to modify slightly since the > mechanism used there is outdated for netstandard 2.0, but the principle > stands > > I've created an RC release at GitHub: > https://github.com/apache/logging-log4net/releases/tag/v2.0.10-rc1 and > pushed updated site material to the `asf-staging` branch of the > logging-log4net-site repo. > > Thanks > -d
