A fix for this CVE has been prepared in the adoption upload 1.2.10+dfsg-10 as a backport of upstream PR #280 (merged in log4net 3.3.0). The upload is pending sponsorship [0].
[0] https://salsa.debian.org/dotnet-team/log4net/-/merge_requests/1 -- James Montgomery <[email protected]>
