Re: [Buildroot] [PATCH] package/log4cxx: security bump to v1.7.0

From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Titouan Christophe <titouan.christophe@mind.be>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/log4cxx: security bump to v1.7.0
Date: Mon,  4 May 2026 16:47:46 +0200	[thread overview]
Message-ID: <20260504144746.10396-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260422135456.3109434-1-titouan.christophe@mind.be>

In reply of:
> This fixes the following vulnerability:
> - CVE-2026-40023:
>     Apache Log4cxx's  XMLLayout https://logging.apache.org/log4cxx/1.7.0/c
>     lasslog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails
>     to sanitize characters forbidden by the  XML 1.0 specification
>     https://www.w3.org/TR/xml/#charsets  in log messages, NDC, and MDC
>     property keys and values, producing invalid XML output. Conforming XML
>     parsers must reject such documents with a fatal error, which may cause
>     downstream log processing systems to drop or fail to index affected
>     records.  An attacker who can influence logged data can exploit this
>     to suppress individual log records, impairing audit trails and
>     detection of malicious activity.  Users are advised to upgrade to
>     Apache Log4cxx 1.7.0, which fixes this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-40023
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/log4cxx/log4cxx.hash | 4 ++--
>  package/log4cxx/log4cxx.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/log4cxx/log4cxx.hash b/package/log4cxx/log4cxx.hash
> index f6770e287c..af97ebca18 100644
> --- a/package/log4cxx/log4cxx.hash
> +++ b/package/log4cxx/log4cxx.hash
> @@ -1,4 +1,4 @@
> -# From https://downloads.apache.org/logging/log4cxx/1.6.1/apache-log4cxx-1.6.1.tar.gz.sha512
> -sha512  6ee406314bd7ab02a46c98cc8a0d5ad5aec8928a23716a81a152775ca315cd3b950d600b2e221d5b4a88416ae9bbda1215fae43626107feea4df2f3e074303ad  apache-log4cxx-1.6.1.tar.gz
> +# From https://downloads.apache.org/logging/log4cxx/1.7.0/apache-log4cxx-1.7.0.tar.gz.sha512
> +sha512  0e94946457423689af6d85074ab97b717e0cec85a4f548e6650b060e8f98b780f980b7d4a7780410fa64681376fb4bc62fab6ed9068fc944e07f9f32ac0413af  apache-log4cxx-1.7.0.tar.gz
>  # Locally computed
>  sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
> diff --git a/package/log4cxx/log4cxx.mk b/package/log4cxx/log4cxx.mk
> index 57f9b1e844..ea47073d3c 100644
> --- a/package/log4cxx/log4cxx.mk
> +++ b/package/log4cxx/log4cxx.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LOG4CXX_VERSION = 1.6.1
> +LOG4CXX_VERSION = 1.7.0
>  LOG4CXX_SITE = https://archive.apache.org/dist/logging/log4cxx/$(LOG4CXX_VERSION)
>  LOG4CXX_SOURCE = apache-log4cxx-$(LOG4CXX_VERSION).tar.gz
>  LOG4CXX_INSTALL_STAGING = YES
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot