Fred Beckhsuen gave me some useful background on this... we use
Log4Net 2.0.8.0 in OpenSim 0.9.2.0 release and 0.9.21. Dev master,
and Fred says that before Log4Net 2.0.10 it has the same bug as Log4J
according CVE-2018-1285...
https://github.com/advisories/GHSA-2cwj-8chv-9pp9
Fred also added that he did hear something about OpenSim not allowing
arbitrary anything to be injected into Log4Net. Maybe those in the
know could take a look at that.
_______________________________________________
Opensim-dev mailing list
Opensim-dev@opensimulator.org
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
