Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade log4net to v2.0.12 #574

Merged
merged 3 commits into from Feb 6, 2021
Merged

Conversation

stakx
Copy link
Member

@stakx stakx commented Feb 6, 2021

No description provided.

This version includes a fix for CVE-2018-1285.
@stakx stakx marked this pull request as draft February 6, 2021 11:21
@stakx
Copy link
Member Author

stakx commented Feb 6, 2021

The .NET Core test run on Ubuntu is now failing; it appears that this is due to an issue in log4net 2.0.10's MemoryAppender. While not documented, it appears to have been resolved in 2.0.12.

We have the following options:

  1. don't update log4net at all
  2. update to 2.0.10 and disable the failing tests
  3. update to 2.0.12, hoping that the issue really did get fixed, ad they just forgot to update the issue tracker status (vs. the bug just no longer surfacing by pure chance)

(2), i.e. picking a buggy version and skipping tests because of that, seems like the worst option to me. I'm torn between (1) and (3). If (3) is still buggy, it'd be bad to force people to use that version.

@jonorossi
Copy link
Member

@stakx I'd go with option 3, upgrade to 2.0.12. 2.0.10 was released 5 months ago with .11 a month later and .12 another month later, close enough that it is unlikely to be a problem. NuGet will pretty much treat it as a patch version anyway, 2.0.12 nearly has 3 times the number of downloads, and we are making a major release next too.

Versions 2.0.10 and 2.0.11 appear to be affected by an issue in `Memory-
Appender` which breaks two of our unit tests.

See https://issues.apache.org/jira/projects/LOG4NET/issues/LOG4NET-649.
@stakx stakx changed the title Upgrade log4net to v2.0.10 Upgrade log4net to v2.0.12 Feb 6, 2021
@stakx stakx marked this pull request as ready for review February 6, 2021 12:34
@stakx stakx merged commit 3201262 into castleproject:master Feb 6, 2021
@stakx stakx deleted the log4net-2.0.10 branch February 6, 2021 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants