Hi Hilmar. I'm on vacation and don't currently have access to a computer other than my mobile phone. Anyhow, your command to check for the vulnerable class looks right to me.
No clue when the relevant class started being included in Arara and TeX live. Cheers, Sven Hilmar Preuße <hill...@web.de> schrieb am Sa., 18. Dez. 2021, 14:47: > Am 16.12.2021 um 09:38 teilte Sven Mueller mit: > > Hi Sven, hi Norbert, > > > texlive-extra-utils contains arara (https://github.com/islandoftex/arara > ) > > which was updated two days ago via TeX Live ( > https://www.tug.org/texlive/) > > which was updated slightly after that. Please update to the newest TeX > Live > > ASAP, as arara in unstable and testing (also stable?) currently bundles a > > vulnerable apache-log4j2 version. > > > According to my knowledge the arara.jar from stable does not contain the > java class in question: > > hille@sid:~/TL_1 $ unzip -l arara.jar |grep -i lookup|grep -i jndi > hille@sid:~/TL_1 $ > > hille@sid:~/TL_1 $ unzip -l arara_sid.jar |grep -i lookup|grep -i jndi > 2937 2021-12-12 23:41 > org/apache/logging/log4j/core/lookup/JndiLookup.class > > So stable is not affected. Could anybody confirm? > > Hilmar > -- > sigfault > >