log4net - Debian Package Tracker

general

source: log4net (main)
version: 1.2.10+dfsg-10
maintainer: Debian .NET Team (archive) (DMD)
uploaders: James Montgomery [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.2.10+dfsg-8
stable: 1.2.10+dfsg-9
unstable: 1.2.10+dfsg-10

versioned links

1.2.10+dfsg-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.10+dfsg-9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.10+dfsg-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

liblog4net-cil-dev
liblog4net1.2-cil

action needed

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-40021: Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event. An attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity. Users are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue.

Created: 2026-04-11 Last update: 2026-06-07 00:31

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-07 Last update: 2026-06-07 04:30

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-40021: (needs triaging) Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event. An attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity. Users are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-04-11 Last update: 2026-06-07 00:31

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 1.2.10+dfsg-9 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-09-02 08:42

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2015-09-09 Last update: 2026-06-06 22:30

testing migrations

excuses:
- Migration status for log4net (- to 1.2.10+dfsg-10): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ New but not reproduced on amd64 - info: liblog4net1.2-cil
- ∙ ∙ New but not reproduced on arm64 - info: liblog4net1.2-cil
- ∙ ∙ New but not reproduced on armhf - info: liblog4net1.2-cil
- ∙ ∙ New but not reproduced on i386 - info: liblog4net1.2-cil
- ∙ ∙ Too young, only 0 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/l/log4net.html
- ∙ ∙ Autopkgtest skipped on riscv64: not installable (which is allowed)
- Not considered

news

[rss feed]

[2026-06-06] Accepted log4net 1.2.10+dfsg-10 (source) into unstable (James Montgomery) (signed by: bage@debian.org)
[2025-10-25] log4net REMOVED from testing (Debian testing watch)
[2023-09-07] log4net 1.2.10+dfsg-9 MIGRATED to testing (Debian testing watch)
[2023-09-01] Accepted log4net 1.2.10+dfsg-9 (source) into unstable (Mirco Bauer) (signed by: bage@debian.org)
[2022-01-13] log4net REMOVED from testing (Debian testing watch)
[2021-04-18] log4net 1.2.10+dfsg-8 MIGRATED to testing (Debian testing watch)
[2021-04-11] Accepted log4net 1.2.10+dfsg-8 (source) into unstable (Mirco Bauer) (signed by: Christian Hofstaedtler)
[2021-01-08] log4net 1.2.10+dfsg-7.1 MIGRATED to testing (Debian testing watch)
[2021-01-02] Accepted log4net 1.2.10+dfsg-7.1 (source) into unstable (Holger Levsen)
[2020-05-15] Accepted log4net 1.2.10+dfsg-6+deb8u1 (source all) into oldoldstable (Chris Lamb)
[2015-09-15] log4net 1.2.10+dfsg-7 MIGRATED to testing (Britney)
[2015-09-09] Accepted log4net 1.2.10+dfsg-7 (source all) into unstable (Jo Shields)
[2012-02-04] log4net 1.2.10+dfsg-6 MIGRATED to testing (Debian testing watch)
[2012-01-22] Accepted log4net 1.2.10+dfsg-6 (source all) (Jo Shields)
[2011-07-22] log4net 1.2.10+dfsg-5 MIGRATED to testing (Debian testing watch)
[2011-07-11] Accepted log4net 1.2.10+dfsg-5 (source all) (Julian Taylor) (signed by: Iain Lane)
[2010-01-17] log4net 1.2.10+dfsg-4 MIGRATED to testing (Debian testing watch)
[2010-01-06] Accepted log4net 1.2.10+dfsg-4 (source all) (Jo Shields)
[2009-03-18] log4net 1.2.10+dfsg-3 MIGRATED to testing (Debian testing watch)
[2009-03-07] Accepted log4net 1.2.10+dfsg-3 (source all) (Mirco Bauer)
[2009-03-06] Accepted log4net 1.2.10+dfsg-2 (source all) (Jo Shields) (signed by: Mirco Bauer)
[2008-04-15] log4net 1.2.10+dfsg-1 MIGRATED to testing (Debian testing watch)
[2008-04-03] Accepted log4net 1.2.10+dfsg-1 (source all) (Sebastian Dröge)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 2)
buildd: logs
popcon
browse source code
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.2.10+dfsg-9build1