Your message dated Sat, 18 Dec 2021 13:23:53 +0000 with message-id <E1myZgn-000AYc-L4@fasolo.debian.org> and subject line Bug#1001785: fixed in texlive-extra 2021.20211217-1 has caused the Debian Bug report #1001785, regarding texlive-extra affected by log4j CVEs to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1001785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001785 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: texlive-extra affected by log4j CVEs
- From: Sven Mueller <sven.mueller72@gmail.com>
- Date: Thu, 16 Dec 2021 09:38:20 +0100
- Message-id: <[🔎] CACxpPiR3MS0uk4K-AEcwWXhjps9WDX_9biXHeg8ho+vDAfOjzg@mail.gmail.com>
Package: texlive-extra-utilsSeverity: graveVersion: 2021.20211127-1Tags: securitytexlive-extra-utils contains arara (https://github.com/islandoftex/arara) which was updated two days ago via TeX Live (https://www.tug.org/texlive/) which was updated slightly after that. Please update to the newest TeX Live ASAP, as arara in unstable and testing (also stable?) currently bundles a vulnerable apache-log4j2 version.The alternative would be to remove the JndiLookup.class file from the relevant .jar - This causes a warning but otherwise doesn't affect execution and seems to properly avoid the vulnerabilities in CVE-2021-45046 and CVE-2021-44228
--- End Message ---
--- Begin Message ---
- To: 1001785-close@bugs.debian.org
- Subject: Bug#1001785: fixed in texlive-extra 2021.20211217-1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 18 Dec 2021 13:23:53 +0000
- Message-id: <E1myZgn-000AYc-L4@fasolo.debian.org>
- Reply-to: Hilmar Preusse <hille42@web.de>
Source: texlive-extra Source-Version: 2021.20211217-1 Done: Hilmar Preusse <hille42@web.de> We believe that the bug you reported is fixed in the latest version of texlive-extra, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1001785@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Hilmar Preusse <hille42@web.de> (supplier of updated texlive-extra package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 18 Dec 2021 08:32:49 +0100 Source: texlive-extra Architecture: source Version: 2021.20211217-1 Distribution: unstable Urgency: high Maintainer: Debian TeX Task Force <debian-tex-maint@lists.debian.org> Changed-By: Hilmar Preusse <hille42@web.de> Closes: 1001785 Changes: texlive-extra (2021.20211217-1) unstable; urgency=high . * New upstream snapshot. Update copy of log4j2 in arara.jar to version 2.16.0 (Closes: #1001785). Checksums-Sha1: c11d877ec252f61486e21fcc3e7c68aa3f835cff 3953 texlive-extra_2021.20211217-1.dsc 74d948eff1b2df132823888468b69c4f62b08c82 19028 texlive-extra_2021.20211217.orig-tex4ht.tar.xz fa42ee8832a1e6a797b3e43b17f04099a217ea20 2108081664 texlive-extra_2021.20211217.orig.tar.xz 32b0a3096de084b8785bb9bf9c51a5407d64e066 186708 texlive-extra_2021.20211217-1.debian.tar.xz 66844b3bd3b0e3f5e9ac6126461a6fe9ebd3913a 5651 texlive-extra_2021.20211217-1_source.buildinfo Checksums-Sha256: fd8e1ed879d5284be80662caad4fb44c61de047a7dbcaf14afeff85194f64cf8 3953 texlive-extra_2021.20211217-1.dsc 8e03694893699d4cde3e61d116b63d7adfbcae605fc6acd865691ccc74277c2b 19028 texlive-extra_2021.20211217.orig-tex4ht.tar.xz 9025bccbee43a94950f707cc9ec4141db87c62904b6c7253fd6637b46d765319 2108081664 texlive-extra_2021.20211217.orig.tar.xz 2b795a02dec9fc3850a653c253cb5fe0a0d64157e324527331d3fcf18686deb5 186708 texlive-extra_2021.20211217-1.debian.tar.xz 72ca723af3c2895df13a2cab8d38460807bcb122ea91b4d514ef56889fd37786 5651 texlive-extra_2021.20211217-1_source.buildinfo Files: ed99aef655bf24bd02447cb1a16efe90 3953 tex optional texlive-extra_2021.20211217-1.dsc 2fbdf590c0a5877f4e5be4b9c03fd72c 19028 tex optional texlive-extra_2021.20211217.orig-tex4ht.tar.xz 47cc8a20870b4e4d122145e825cd6975 2108081664 tex optional texlive-extra_2021.20211217.orig.tar.xz 85d9b2809380a9497c8c614266b28fe7 186708 tex optional texlive-extra_2021.20211217-1.debian.tar.xz 0dc82e3950884c95564751c6086bac71 5651 tex optional texlive-extra_2021.20211217-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEaXGmC/nkbIhxf16kxiZYRqvgLIsFAmG93C5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY5 NzFBNjBCRjlFNDZDODg3MTdGNUVBNEM2MjY1ODQ2QUJFMDJDOEIACgkQxiZYRqvg LIuBeQ//Uo97GZ9uDZDwq16I64XF86PTkBt4ayhRhh8D/Qwl2Y6zEQPNg2pKcBL9 6nRq//M5P4FL/zTq6N5r9TE4NATFrDUzvA1c4gPf6zYvgPtPpr37fiaYzguoUuW1 YcP+roB56YejJ/6ZJ+EdHZloHj15eoHg5aEv94eiMJVssyIqqC8phXYg6OMX9I7f ju3gsRLwvZmEK2ML/zZWX33AEbrqPStdu1UgeT6wVKDg78dgnosoI53JldQQtXC7 ldZsXmlbqU4z7R/jU1XYR1MAYHqCmSZzIaHmJUmPxcb+MBbaDM01iYaWItHpKIiC EoDa+WSpajyX9eFo85Ut847V5JLltLRN8jXPprqzJUBDoaMTdEYuY60AbFdJGFy4 uwhGluv/iXm7v8VMSSQ7eiZMxaRmVhPgaJtI6ijjlWJQhYt9H8sUnDOIluBCwGIA y9JDuoP9yQxrONnYstIaeh/dGq/ISW736GxkWxCtc65oHRK+TDX1aea2eTsSbERp a004MaW1T9Doiw6S/NAMMffphBG3JUAiiROGiToGYshhSvI0QaoQFwaYpRLItmHE UWTlLdp7cmqHnJAZ1ZyneQIm7raDUj98aQrBFOIJj8VcQOHAsnKRg1DEtnd1vmRu 8oY6JUQ0jQxa09rQI/4Z6DntInyxMLDDiez9ImO7DoEuBYye6vM= =2AIR -----END PGP SIGNATURE-----
--- End Message ---