[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1001785: texlive-extra affected by log4j CVEs

Hi Hilmar.

I'm on vacation and don't currently have access to a computer other than my mobile phone. Anyhow, your command to check for the vulnerable class looks right to me.

No clue when the relevant class started being included in Arara and TeX live.

Cheers,
Sven

Hilmar Preuße <hille42@web.de> schrieb am Sa., 18. Dez. 2021, 14:47:
Am 16.12.2021 um 09:38 teilte Sven Mueller mit:

Hi Sven, hi Norbert,

> texlive-extra-utils contains arara (https://github.com/islandoftex/arara)
> which was updated two days ago via TeX Live (https://www.tug.org/texlive/)
> which was updated slightly after that. Please update to the newest TeX Live
> ASAP, as arara in unstable and testing (also stable?) currently bundles a
> vulnerable apache-log4j2 version.
>
According to my knowledge the arara.jar from stable does not contain the
java class in question:

hille@sid:~/TL_1 $ unzip -l arara.jar |grep -i lookup|grep -i jndi
hille@sid:~/TL_1 $

hille@sid:~/TL_1 $ unzip -l arara_sid.jar |grep -i lookup|grep -i jndi
      2937  2021-12-12 23:41
org/apache/logging/log4j/core/lookup/JndiLookup.class

So stable is not affected. Could anybody confirm?

Hilmar
--
sigfault

Reply to: