Bug#1001785: texlive-extra affected by log4j CVEs

To: Sven Mueller <sven.mueller72@gmail.com>
Subject: Bug#1001785: texlive-extra affected by log4j CVEs
From: Hilmar Preuße <hille42@web.de>
Date: Sat, 18 Dec 2021 00:15:48 +0100
Message-id: <[🔎] c6931dbe-f415-9ada-d5d7-88b0a9c8d99f@web.de>
Reply-to: Hilmar Preuße <hille42@web.de>, 1001785@bugs.debian.org
In-reply-to: <[🔎] CACxpPiR3MS0uk4K-AEcwWXhjps9WDX_9biXHeg8ho+vDAfOjzg@mail.gmail.com>
References: <[🔎] CACxpPiR3MS0uk4K-AEcwWXhjps9WDX_9biXHeg8ho+vDAfOjzg@mail.gmail.com> <[🔎] CACxpPiR3MS0uk4K-AEcwWXhjps9WDX_9biXHeg8ho+vDAfOjzg@mail.gmail.com>

Am 16.12.2021 um 09:38 teilte Sven Mueller mit:

Hi,

texlive-extra-utils contains arara (https://github.com/islandoftex/arara)
which was updated two days ago via TeX Live (https://www.tug.org/texlive/)
which was updated slightly after that. Please update to the newest TeX Live
ASAP, as arara in unstable and testing (also stable?) currently bundles a
vulnerable apache-log4j2 version.

For unstable / testing I'll simply push a new CTAN snapshot to thearchive. Should not be that hard.

I did not check stable yet, but I'm pretty sure it is affected too. I'dput the jar file in question on the blacklist and hence remove it fromthe package. Would this be OK?


Did you check oldstable yet?

Hilmar
--
sigfault

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Bug#1001785: texlive-extra affected by log4j CVEs
  - From: Norbert Preining <preining@logic.at>

References:
- Bug#1001785: texlive-extra affected by log4j CVEs
  - From: Sven Mueller <sven.mueller72@gmail.com>

Prev by Date: Bug#1001785: texlive-extra affected by log4j CVEs
Next by Date: Re: Bug#1001785: texlive-extra affected by log4j CVEs
Previous by thread: Bug#1001785: texlive-extra affected by log4j CVEs
Next by thread: Re: Bug#1001785: texlive-extra affected by log4j CVEs
Index(es):
- Date
- Thread