version of LibExpat and LibPCRE | Log collection solutions

#1 magesh041985 7 years ago

does nxlog-2.9.1716 still uses LibExpat v2.0.1 and LibPCRE v8.02?

Impact:
LibPCRE v8.02 is vulnerable to DoS and code overflow.
LibExpat v2.0.1 has 4 publicly identified vulnerabilities.

References

https://www.cvedetails.com/vulnerability-list/vendor_id-12037/product_id-22545/version_id-129378/Libexpat-Expat-2.0.1.html
https://www.cvedetails.com/vulnerability-list/vendor_id-3265/product_id-5715/version_id-191791/Pcre-Pcre-8.02.html

is it possible to update LibExpat to v2.1.0 and LibPCRE to v8.39?

Permalink

#2 b0ti Nxlog ✓ 7 years ago (Last updated 5 years ago )

#1 magesh041985

does nxlog-2.9.1716 still uses LibExpat v2.0.1 and LibPCRE v8.02? Impact: LibPCRE v8.02 is vulnerable to DoS and code overflow. LibExpat v2.0.1 has 4 publicly identified vulnerabilities. References https://www.cvedetails.com/vulnerability-list/vendor_id-12037/product_id-22545/version_id-129378/Libexpat-Expat-2.0.1.html https://www.cvedetails.com/vulnerability-list/vendor_id-3265/product_id-5715/version_id-191791/Pcre-Pcre-8.02.html is it possible to update LibExpat to v2.1.0 and LibPCRE to v8.39?

We are aware of these security issues in PCRE and Expat. The NXLog Enterprise Edition is already using pcre-8.39 and expat-2.2.

The msi installer of the NXLog Community Edition v2.9.1716 still has the old libraries. If this is a concern I suggest going with the NXLog EE.