FW: Apache Log4net 2.0.9

["Covel, Sean E." <SC...@travelers.com>]

I see there is a new release in NuGet.  Where are the release notes for version 2.0.9?

A vulnerability was reported in 2017…
https://issues.apache.org/jira/browse/LOG4NET-575


Black Duck is also reporting this issue…

Title

Apache log4net

Component Version

2.0.8

Vulnerability Level

9.8

Vulnerability Summary

Apache log4net is vulnerable to XML external entities (XXE) attacks since it does not disable XML external entities when parsing log4net configuration files. An attacker can retrieve files outside the web root, execute arbitrary code or cause a denial-of-service (DoS) condition. This project is no longer actively maintained.

CalculatedCol

254--Apache log4net--2.0.8--9.8




Does version 2.0.9 contain a fix for this issue?

Thanks,

Sean E. Covel | Senior Architect | Business Insurance Architecture
Travelers
One Tower Square | MN03
Hartford, CT 06183
W: 860.277.9960

[/var/folders/21/pqx0xx6d4178q1ty7d6lhms486tzm3/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.png@01D43EC6.2BAD6E60]


________________________________
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

TRVDiscDefault::1201