Bug#1001785: texlive-extra affected by log4j CVEs

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1001785: texlive-extra affected by log4j CVEs
From: Sven Mueller <sven.mueller72@gmail.com>
Date: Thu, 16 Dec 2021 09:38:20 +0100
Message-id: <[🔎] CACxpPiR3MS0uk4K-AEcwWXhjps9WDX_9biXHeg8ho+vDAfOjzg@mail.gmail.com>
Reply-to: Sven Mueller <sven.mueller72@gmail.com>, 1001785@bugs.debian.org

Package: texlive-extra-utils

Severity: grave

Version: 2021.20211127-1

Tags: security

texlive-extra-utils contains arara (https://github.com/islandoftex/arara) which was updated two days ago via TeX Live (https://www.tug.org/texlive/) which was updated slightly after that. Please update to the newest TeX Live ASAP, as arara in unstable and testing (also stable?) currently bundles a vulnerable apache-log4j2 version.

The alternative would be to remove the JndiLookup.class file from the relevant .jar - This causes a warning but otherwise doesn't affect execution and seems to properly avoid the vulnerabilities in CVE-2021-45046 and CVE-2021-44228

Reply to:

Follow-Ups:
- Bug#1001785: texlive-extra affected by log4j CVEs
  - From: Hilmar Preuße <hille42@web.de>
- Bug#1001785: marked as done (texlive-extra affected by log4j CVEs)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1001785: texlive-extra affected by log4j CVEs
  - From: Hilmar Preuße <hille42@web.de>

Prev by Date: dvisvgm_2.12-4_source.changes ACCEPTED into unstable
Next by Date: Bug#1001785: texlive-extra affected by log4j CVEs
Previous by thread: dvisvgm_2.12-4_source.changes ACCEPTED into unstable
Next by thread: Bug#1001785: texlive-extra affected by log4j CVEs
Index(es):
- Date
- Thread