version of LibExpat and LibPCRE


#1 magesh041985

does nxlog-2.9.1716 still uses LibExpat v2.0.1 and LibPCRE v8.02?

Impact:
LibPCRE v8.02 is vulnerable to DoS and code overflow.
LibExpat v2.0.1 has 4 publicly identified vulnerabilities.

References

https://www.cvedetails.com/vulnerability-list/vendor_id-12037/product_id-22545/version_id-129378/Libexpat-Expat-2.0.1.html
https://www.cvedetails.com/vulnerability-list/vendor_id-3265/product_id-5715/version_id-191791/Pcre-Pcre-8.02.html

is it possible to update LibExpat to v2.1.0 and LibPCRE to v8.39?

#2 b0ti Nxlog ✓ (Last updated )
#1 magesh041985
does nxlog-2.9.1716 still uses LibExpat v2.0.1 and LibPCRE v8.02? Impact: LibPCRE v8.02 is vulnerable to DoS and code overflow. LibExpat v2.0.1 has 4 publicly identified vulnerabilities. References https://www.cvedetails.com/vulnerability-list/vendor_id-12037/product_id-22545/version_id-129378/Libexpat-Expat-2.0.1.html https://www.cvedetails.com/vulnerability-list/vendor_id-3265/product_id-5715/version_id-191791/Pcre-Pcre-8.02.html is it possible to update LibExpat to v2.1.0 and LibPCRE to v8.39?

We are aware of these security issues in PCRE and Expat. The NXLog Enterprise Edition is already using pcre-8.39 and expat-2.2.

The msi installer of the NXLog Community Edition v2.9.1716 still has the old libraries. If this is a concern I suggest going with the NXLog EE.