Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/log4cxx: security bump to v1.7.0
@ 2026-04-22 13:54 Titouan Christophe via buildroot
  2026-04-22 16:50 ` Julien Olivain via buildroot
  2026-05-04 14:47 ` Thomas Perale via buildroot
  0 siblings, 2 replies; 3+ messages in thread
From: Titouan Christophe via buildroot @ 2026-04-22 13:54 UTC (permalink / raw)
  To: buildroot; +Cc: Thomas Petazzoni

This fixes the following vulnerability:
- CVE-2026-40023:
    Apache Log4cxx's  XMLLayout https://logging.apache.org/log4cxx/1.7.0/c
    lasslog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails
    to sanitize characters forbidden by the  XML 1.0 specification
    https://www.w3.org/TR/xml/#charsets  in log messages, NDC, and MDC
    property keys and values, producing invalid XML output. Conforming XML
    parsers must reject such documents with a fatal error, which may cause
    downstream log processing systems to drop or fail to index affected
    records.  An attacker who can influence logged data can exploit this
    to suppress individual log records, impairing audit trails and
    detection of malicious activity.  Users are advised to upgrade to
    Apache Log4cxx 1.7.0, which fixes this issue.
    https://www.cve.org/CVERecord?id=CVE-2026-40023

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 package/log4cxx/log4cxx.hash | 4 ++--
 package/log4cxx/log4cxx.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/log4cxx/log4cxx.hash b/package/log4cxx/log4cxx.hash
index f6770e287c..af97ebca18 100644
--- a/package/log4cxx/log4cxx.hash
+++ b/package/log4cxx/log4cxx.hash
@@ -1,4 +1,4 @@
-# From https://downloads.apache.org/logging/log4cxx/1.6.1/apache-log4cxx-1.6.1.tar.gz.sha512
-sha512  6ee406314bd7ab02a46c98cc8a0d5ad5aec8928a23716a81a152775ca315cd3b950d600b2e221d5b4a88416ae9bbda1215fae43626107feea4df2f3e074303ad  apache-log4cxx-1.6.1.tar.gz
+# From https://downloads.apache.org/logging/log4cxx/1.7.0/apache-log4cxx-1.7.0.tar.gz.sha512
+sha512  0e94946457423689af6d85074ab97b717e0cec85a4f548e6650b060e8f98b780f980b7d4a7780410fa64681376fb4bc62fab6ed9068fc944e07f9f32ac0413af  apache-log4cxx-1.7.0.tar.gz
 # Locally computed
 sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
diff --git a/package/log4cxx/log4cxx.mk b/package/log4cxx/log4cxx.mk
index 57f9b1e844..ea47073d3c 100644
--- a/package/log4cxx/log4cxx.mk
+++ b/package/log4cxx/log4cxx.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LOG4CXX_VERSION = 1.6.1
+LOG4CXX_VERSION = 1.7.0
 LOG4CXX_SITE = https://archive.apache.org/dist/logging/log4cxx/$(LOG4CXX_VERSION)
 LOG4CXX_SOURCE = apache-log4cxx-$(LOG4CXX_VERSION).tar.gz
 LOG4CXX_INSTALL_STAGING = YES
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/log4cxx: security bump to v1.7.0
  2026-04-22 13:54 [Buildroot] [PATCH] package/log4cxx: security bump to v1.7.0 Titouan Christophe via buildroot
@ 2026-04-22 16:50 ` Julien Olivain via buildroot
  2026-05-04 14:47 ` Thomas Perale via buildroot
  1 sibling, 0 replies; 3+ messages in thread
From: Julien Olivain via buildroot @ 2026-04-22 16:50 UTC (permalink / raw)
  To: Titouan Christophe; +Cc: buildroot, Thomas Petazzoni

On 22/04/2026 15:54, Titouan Christophe via buildroot wrote:
> This fixes the following vulnerability:
> - CVE-2026-40023:
>     Apache Log4cxx's  XMLLayout 
> https://logging.apache.org/log4cxx/1.7.0/c
>     lasslog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, 
> fails
>     to sanitize characters forbidden by the  XML 1.0 specification
>     https://www.w3.org/TR/xml/#charsets  in log messages, NDC, and MDC
>     property keys and values, producing invalid XML output. Conforming 
> XML
>     parsers must reject such documents with a fatal error, which may 
> cause
>     downstream log processing systems to drop or fail to index affected
>     records.  An attacker who can influence logged data can exploit 
> this
>     to suppress individual log records, impairing audit trails and
>     detection of malicious activity.  Users are advised to upgrade to
>     Apache Log4cxx 1.7.0, which fixes this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-40023
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/log4cxx: security bump to v1.7.0
  2026-04-22 13:54 [Buildroot] [PATCH] package/log4cxx: security bump to v1.7.0 Titouan Christophe via buildroot
  2026-04-22 16:50 ` Julien Olivain via buildroot
@ 2026-05-04 14:47 ` Thomas Perale via buildroot
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-05-04 14:47 UTC (permalink / raw)
  To: Titouan Christophe; +Cc: Thomas Perale, buildroot

In reply of:
> This fixes the following vulnerability:
> - CVE-2026-40023:
>     Apache Log4cxx's  XMLLayout https://logging.apache.org/log4cxx/1.7.0/c
>     lasslog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails
>     to sanitize characters forbidden by the  XML 1.0 specification
>     https://www.w3.org/TR/xml/#charsets  in log messages, NDC, and MDC
>     property keys and values, producing invalid XML output. Conforming XML
>     parsers must reject such documents with a fatal error, which may cause
>     downstream log processing systems to drop or fail to index affected
>     records.  An attacker who can influence logged data can exploit this
>     to suppress individual log records, impairing audit trails and
>     detection of malicious activity.  Users are advised to upgrade to
>     Apache Log4cxx 1.7.0, which fixes this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-40023
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/log4cxx/log4cxx.hash | 4 ++--
>  package/log4cxx/log4cxx.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/log4cxx/log4cxx.hash b/package/log4cxx/log4cxx.hash
> index f6770e287c..af97ebca18 100644
> --- a/package/log4cxx/log4cxx.hash
> +++ b/package/log4cxx/log4cxx.hash
> @@ -1,4 +1,4 @@
> -# From https://downloads.apache.org/logging/log4cxx/1.6.1/apache-log4cxx-1.6.1.tar.gz.sha512
> -sha512  6ee406314bd7ab02a46c98cc8a0d5ad5aec8928a23716a81a152775ca315cd3b950d600b2e221d5b4a88416ae9bbda1215fae43626107feea4df2f3e074303ad  apache-log4cxx-1.6.1.tar.gz
> +# From https://downloads.apache.org/logging/log4cxx/1.7.0/apache-log4cxx-1.7.0.tar.gz.sha512
> +sha512  0e94946457423689af6d85074ab97b717e0cec85a4f548e6650b060e8f98b780f980b7d4a7780410fa64681376fb4bc62fab6ed9068fc944e07f9f32ac0413af  apache-log4cxx-1.7.0.tar.gz
>  # Locally computed
>  sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
> diff --git a/package/log4cxx/log4cxx.mk b/package/log4cxx/log4cxx.mk
> index 57f9b1e844..ea47073d3c 100644
> --- a/package/log4cxx/log4cxx.mk
> +++ b/package/log4cxx/log4cxx.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LOG4CXX_VERSION = 1.6.1
> +LOG4CXX_VERSION = 1.7.0
>  LOG4CXX_SITE = https://archive.apache.org/dist/logging/log4cxx/$(LOG4CXX_VERSION)
>  LOG4CXX_SOURCE = apache-log4cxx-$(LOG4CXX_VERSION).tar.gz
>  LOG4CXX_INSTALL_STAGING = YES
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-04 14:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-22 13:54 [Buildroot] [PATCH] package/log4cxx: security bump to v1.7.0 Titouan Christophe via buildroot
2026-04-22 16:50 ` Julien Olivain via buildroot
2026-05-04 14:47 ` Thomas Perale via buildroot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox