Am 16.12.2021 um 09:38 teilte Sven Mueller mit: Hi Sven, hi Norbert,
According to my knowledge the arara.jar from stable does not contain the java class in question:texlive-extra-utils contains arara (https://github.com/islandoftex/arara) which was updated two days ago via TeX Live (https://www.tug.org/texlive/) which was updated slightly after that. Please update to the newest TeX Live ASAP, as arara in unstable and testing (also stable?) currently bundles a vulnerable apache-log4j2 version.
hille@sid:~/TL_1 $ unzip -l arara.jar |grep -i lookup|grep -i jndi hille@sid:~/TL_1 $ hille@sid:~/TL_1 $ unzip -l arara_sid.jar |grep -i lookup|grep -i jndi2937 2021-12-12 23:41 org/apache/logging/log4j/core/lookup/JndiLookup.class
So stable is not affected. Could anybody confirm? Hilmar -- sigfault
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature