From: "Debian .NET Team" <debian-cli@lists.debian.org>
Date: Fri, 22 May 2026 19:51:20 -0400
Subject: fix_XXE_CVE-2018-1285

===================================================================
---
 src/Config/XmlConfigurator.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Config/XmlConfigurator.cs b/src/Config/XmlConfigurator.cs
index d4f549b..13c1977 100644
--- a/src/Config/XmlConfigurator.cs
+++ b/src/Config/XmlConfigurator.cs
@@ -619,9 +619,9 @@ namespace log4net.Config
 					// Create a text reader for the file stream
 					XmlTextReader xmlReader = new XmlTextReader(configStream);
 #elif NET_2_0
-					// Allow the DTD to specify entity includes
 					XmlReaderSettings settings = new XmlReaderSettings();
-					settings.ProhibitDtd = false;
+					// don't allow the DTD to specify entity includes
+					settings.ProhibitDtd = true;
 
 					// Create a reader over the input stream
 					XmlReader xmlReader = XmlReader.Create(configStream, settings);
