Apache has issued an advisory on May 10:
There is no fix, only a mitigation, and this is dead abandoned software.
Mageia 7 is also affected.
No fix available as of May 2020
Debian-LTS has issued an advisory for this on May 15:
They seem to think this is a fix:
No fix available as of May 2020 =>
Possible fix upstream
Possible fix upstream =>
This update fixes CVE-2018-1285.
This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security vulnerability was found in the way how log4net parses xml configuration files where it allowed to process XML External Entity Processing. An attacker could use this as an attack vector if he could modify the XML configuration file.
MGA7-64 Plasma on Lenovo B50
No installation isssues.
Previous update was bug 4816 from 2006.
Googled anf found a.o. https://stackify.com/log4net-guide-dotnet-logging/
This is pure developers stuff. I propose to OK on clean install if the higher powers agree.
Yeah, clean upgrade is sufficient.
Thank you Herman, David. Validating. Advisory in Comment 2.
Fedora has issued an advisory for this on May 24:
An update for this issue has been pushed to the Mageia Updates repository.