You are viewing a plain text version of this content. The canonical link for it is here.
Posted to log4net-dev@logging.apache.org by "Nicko Cadell (JIRA)" <ji...@apache.org> on 2006/03/07 17:48:38 UTC
[jira] Created: (LOG4NET-67) CVE-2006-0743 Security vulnerability
in LocalSyslogAppender
CVE-2006-0743 Security vulnerability in LocalSyslogAppender
-----------------------------------------------------------
Key: LOG4NET-67
URL: http://issues.apache.org/jira/browse/LOG4NET-67
Project: Log4net
Type: Bug
Components: Appenders
Versions: 1.2.9
Reporter: Nicko Cadell
Assigned to: Nicko Cadell
Priority: Critical
Fix For: 1.2.10
Reported by Sebastian Krahmer to security@apache.org
Logged as CVE-2006-0743
The LocalSyslogAppender contains a vulnerability which could lead to memory corruption within the runtime process. This is likely to cause the application using the LocalSyslogAppender to terminate unexpectedly. In addition to a deliberate denial of service attack this fault may be caused by logging legitimate data therefore the LocalSyslogAppender must not be used even within secured environments.
Current users of the LocalSyslogAppender (from the log4net 1.2.9 release) should update their logging configuration to remove references to the LocalSyslogAppender. Alternatively users can build a new version of the log4net assembly from the head of the source code repository where this fault has been fixed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Resolved: (LOG4NET-67) CVE-2006-0743 Security vulnerability
in LocalSyslogAppender
Posted by "Nicko Cadell (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/LOG4NET-67?page=all ]
Nicko Cadell resolved LOG4NET-67:
---------------------------------
Resolution: Fixed
Fix checked in
> CVE-2006-0743 Security vulnerability in LocalSyslogAppender
> -----------------------------------------------------------
>
> Key: LOG4NET-67
> URL: http://issues.apache.org/jira/browse/LOG4NET-67
> Project: Log4net
> Type: Bug
> Components: Appenders
> Versions: 1.2.9
> Reporter: Nicko Cadell
> Assignee: Nicko Cadell
> Priority: Critical
> Fix For: 1.2.10
>
> Reported by Sebastian Krahmer to security@apache.org
> Logged as CVE-2006-0743
> The LocalSyslogAppender contains a vulnerability which could lead to memory corruption within the runtime process. This is likely to cause the application using the LocalSyslogAppender to terminate unexpectedly. In addition to a deliberate denial of service attack this fault may be caused by logging legitimate data therefore the LocalSyslogAppender must not be used even within secured environments.
> Current users of the LocalSyslogAppender (from the log4net 1.2.9 release) should update their logging configuration to remove references to the LocalSyslogAppender. Alternatively users can build a new version of the log4net assembly from the head of the source code repository where this fault has been fixed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira