[{"id":3680702,"web_url":"http://patchwork.ozlabs.org/comment/3680702/","msgid":"<1c53d27fa9a08d23111c87bb1b28097c@free.fr>","list_archive_url":null,"date":"2026-04-22T16:50:08","subject":"Re: [Buildroot] [PATCH] package/log4cxx: security bump to v1.7.0","submitter":{"id":80537,"url":"http://patchwork.ozlabs.org/api/people/80537/","name":"Julien Olivain","email":"ju.o@free.fr"},"content":"On 22/04/2026 15:54, Titouan Christophe via buildroot wrote:\n> This fixes the following vulnerability:\n> - CVE-2026-40023:\n>     Apache Log4cxx's  XMLLayout \n> https://logging.apache.org/log4cxx/1.7.0/c\n>     lasslog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, \n> fails\n>     to sanitize characters forbidden by the  XML 1.0 specification\n>     https://www.w3.org/TR/xml/#charsets  in log messages, NDC, and MDC\n>     property keys and values, producing invalid XML output. Conforming \n> XML\n>     parsers must reject such documents with a fatal error, which may \n> cause\n>     downstream log processing systems to drop or fail to index affected\n>     records.  An attacker who can influence logged data can exploit \n> this\n>     to suppress individual log records, impairing audit trails and\n>     detection of malicious activity.  Users are advised to upgrade to\n>     Apache Log4cxx 1.7.0, which fixes this issue.\n>     https://www.cve.org/CVERecord?id=CVE-2026-40023\n> \n> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>\n\nApplied to master, thanks.","headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=RS2JnQlf;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g14wC2S59z1yCv\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Thu, 23 Apr 2026 02:50:19 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 6EFF88097B;\n\tWed, 22 Apr 2026 16:50:17 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Rrz6eBeQGrLY; Wed, 22 Apr 2026 16:50:16 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 9A110808A2;\n\tWed, 22 Apr 2026 16:50:16 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n by lists1.osuosl.org (Postfix) with ESMTP id 818A8257\n for <buildroot@buildroot.org>; Wed, 22 Apr 2026 16:50:14 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 67D87808A1\n for <buildroot@buildroot.org>; Wed, 22 Apr 2026 16:50:14 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id WfCHHbEacrcC for <buildroot@buildroot.org>;\n Wed, 22 Apr 2026 16:50:13 +0000 (UTC)","from smtp3-g21.free.fr (smtp3-g21.free.fr [212.27.42.3])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 3FEA280756\n for <buildroot@buildroot.org>; Wed, 22 Apr 2026 16:50:12 +0000 (UTC)","from webmail.free.fr (unknown [172.20.246.2])\n (Authenticated sender: ju.o@free.fr)\n by smtp3-g21.free.fr (Postfix) with ESMTPA id 98D5913F8B8;\n Wed, 22 Apr 2026 18:50:08 +0200 (CEST)","from 2a01:e0a:1065:2100:52d9:65fe:2df3:c492\n via 2a01:e0a:1065:2100:52d9:65fe:2df3:c492 by webmail.free.fr\n with HTTP (HTTP/1.0 POST); Wed, 22 Apr 2026 18:50:08 +0200"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9A110808A2","OpenDKIM Filter v2.11.0 smtp1.osuosl.org 3FEA280756"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776876616;\n\tbh=/MgLR+dfXhJbxe1MbR0fQc10+yhyX3HD5AsCHERWdxo=;\n\th=Date:To:Cc:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=RS2JnQlfdEN3BP/s7oE/zGmxiiVBNKoo4bAd2cWYoDHrn0vrJP7iGHTdVvOgUMBLh\n\t npABmLMAk++SlJj0Bzk930Whp2ewwkZ6ilSz6576WtiFC5tf/a/gzkEuVplp8zx9qO\n\t oGWL4Vk0LPqocfSbIlftEpRBpc/4+n40BVNPxM33Z/Y1x1FGYjbGMPluoJJbvzSilg\n\t dKfkVm+C830OxaPMl8y1M5HOHKXjUBJGzLLcUQvOb9v6cNHQC14qcIMs5OrWLd/cFJ\n\t NT/qWZIjkZjpQqz0Ju4N5kSxLMwu/5Exo/TJrRjCsRniOg5bi5MbxoWEK5eLPOQP7y\n\t b9Bm4+HmB4/fQ==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=212.27.42.3;\n helo=smtp3-g21.free.fr; envelope-from=ju.o@free.fr; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org 3FEA280756","MIME-Version":"1.0","Date":"Wed, 22 Apr 2026 18:50:08 +0200","To":"Titouan Christophe <titouan.christophe@mind.be>","Cc":"buildroot@buildroot.org, Thomas Petazzoni <thomas.petazzoni@bootlin.com>","In-Reply-To":"<20260422135456.3109434-1-titouan.christophe@mind.be>","References":"<20260422135456.3109434-1-titouan.christophe@mind.be>","User-Agent":"Webmail Free/1.6.14","Message-ID":"<1c53d27fa9a08d23111c87bb1b28097c@free.fr>","X-Sender":"ju.o@free.fr","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=free.fr; s=smtp-20201208; t=1776876610;\n bh=TvifoKXedrjtHgsGD8dKegEtPk0Vaa57+BAsNhtSOSo=;\n h=Date:From:To:Cc:Subject:In-Reply-To:References:From;\n b=Nitrbgv8mbE54s3mO9N175VmMS9ecYaRZtJMQKIJPNfzBbzT3KeFaAwKJQnIJ9uht\n xPh8sBbUTpqxLMCW3w+34lmhYszymtAiJlc8rD2t1eVotDEk5E0zYILDiY3n5nrz19\n 24xGZexXWxD4mDs6voObFN7+5rVLRpkWZ0fi8dLj4J91HeINr9dssmPMK3SaLfVJVN\n dy+qtanCXCE79h/bAkBwIcXGvi8XEsAb0qKnf5j63D5u9yi71vJPNkE66pHsGkp3Ud\n DdCE42/GT5ai6Y20IxKf2D2FdESAIkhdtgqQMmbBQuBFvfjWBr9++xtg4ELJVVL75F\n k5mQ9b+itsDLQ==","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=free.fr","smtp1.osuosl.org;\n dkim=pass (2048-bit key) header.d=free.fr header.i=@free.fr\n header.a=rsa-sha256 header.s=smtp-20201208 header.b=Nitrbgv8"],"Subject":"Re: [Buildroot] [PATCH] package/log4cxx: security bump to v1.7.0","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Julien Olivain via buildroot <buildroot@buildroot.org>","Reply-To":"Julien Olivain <ju.o@free.fr>","Content-Transfer-Encoding":"7bit","Content-Type":"text/plain; charset=\"us-ascii\"; Format=\"flowed\"","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"}}]