We need to update to the latest log4net package version in all Chocolatey code bases, including this one. This is due to an:
XML External Entity attack in log4net
which can:
Apache log4net before 2.0.10 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.
The recommendation is to update to at least 2.0.10, however, we have decided to go straight to 2.0.12.
Enhancement Information
We need to update to the latest log4net package version in all Chocolatey code bases, including this one. This is due to an:
which can:
The recommendation is to update to at least 2.0.10, however, we have decided to go straight to 2.0.12.
References
┆Issue is synchronized with this Gitlab issue by Unito ┆Milestone: 2.2.0