On Wed, Mar 17, 2021 at 4:13 AM Moritz Mühlenhoff <j...@inutil.org> wrote:
> > Having identified the offending code the fix is a one line change on the > > other hand. I plan to upload a fixed version of log4net in the coming > days. > > What's the status of that upload? Patch is at > > https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7 After some struggles with my pbuilder setup I have pushed the backported fix for CVE-2018-1285 to salsa [0]. Since I don't have access to my PGP key during the pandemic, I am looking for a sponsor for the upload of HEAD [1]. The source package builds from HEAD as 1.2.10+dfsg-8 and is ready for a build with gbp and upload. [0]: https://salsa.debian.org/dotnet-team/log4net/-/commit/3f6f2fa7927ceb8c7dd72e4f8cf4194ad3779bc6 [1]: https://salsa.debian.org/dotnet-team/log4net/-/commit/a1a1620bb68b815713e7408824be04825e544c27 Best regards, Mirco Bauer Security Architect mirco.ba...@bitgamelabs.com https://bgl.hk/ FOSS Hacker mee...@meebey.net https://www.meebey.net/ Debian Developer mee...@debian.org http://www.debian.org/ GNOME Foundation Member mmmba...@gnome.org http://www.gnome.org/ .NET Foundation Advisory Council Member http://www.dotnetfoundation.org/ PGP-Key ID 0x7127E5ABEEF946C8 https://meebey.net/pubkey.asc
