Apache has issued an advisory on March 9:
The issue is fixed upstream in 2.3.
Mageia 7 and Mageia 8 are also affected.
MGA8TOO, MGA7TOOStatus comment:
Fixed upstream in 2.3
fixed in cauldron.
Patch added in mga7/8:
Fixed upstream in 2.3 =>
MGA8TOO, MGA7TOO =>
Updated velocity packages fix security vulnerability:
An attacker that is able to modify Velocity templates may execute arbitrary
Java code or run arbitrary system commands with the same privileges as the
account running the Servlet container. This applies to applications that allow
untrusted users to upload/modify velocity templates running Apache Velocity
Engine versions up to 2.2 (CVE-2020-13936).
Updated packages in core/updates_testing:
Installed the four velocity rpms and two dependencies in vbox mga7 and mga8 guests, then updated them. No installation issues.
Looked for a past update, found nothing. Read some of the manual, but soon got very lost, as I know nothing of using java. Tried a couple of the elementary scripts from velocity-demo that were supposed to be pre-compiled, but they threw errors obviously caused by my lack of basic relevant skills.
So, I'm going to pass this along with a clean install for both mga7 and mga8.
Validating. Advisory in Comment 2.
MGA7TOO MGA7-64-OK MGA8-64-OKCC:
An update for this issue has been pushed to the Mageia Updates repository.