Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1289326

Bug#1133368: log4cxx: CVE-2026-40023

Show all headers | View raw

Source: log4cxx
Version: 1.5.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/apache/logging-log4cxx/pull/609
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for log4cxx.

CVE-2026-40023[0]:
| Apache Log4cxx's  XMLLayout https://logging.apache.org/log4cxx/1.7.0
| /classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0,
| fails to sanitize characters forbidden by the  XML 1.0 specification
| https://www.w3.org/TR/xml/#charsets  in log messages, NDC, and MDC
| property keys and values, producing invalid XML output. Conforming
| XML parsers must reject such documents with a fatal error, which may
| cause downstream log processing systems to drop or fail to index
| affected records.  An attacker who can influence logged data can
| exploit this to suppress individual log records, impairing audit
| trails and detection of malicious activity.  Users are advised to
| upgrade to Apache Log4cxx 1.7.0, which fixes this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40023
    https://www.cve.org/CVERecord?id=CVE-2026-40023
[1] https://github.com/apache/logging-log4cxx/pull/609
[2] https://logging.apache.org/security.html#CVE-2026-40023

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Back to linux.debian.bugs.dist | Previous | Next | Find similar

Thread

Bug#1133368: log4cxx: CVE-2026-40023 Salvatore Bonaccorso <carnil@debian.org> - 2026-04-12 16:40 +0200

csiph-web