Am 16.12.2021 um 09:38 teilte Sven Mueller mit: Hi,
For unstable / testing I'll simply push a new CTAN snapshot to the archive. Should not be that hard.texlive-extra-utils contains arara (https://github.com/islandoftex/arara) which was updated two days ago via TeX Live (https://www.tug.org/texlive/) which was updated slightly after that. Please update to the newest TeX Live ASAP, as arara in unstable and testing (also stable?) currently bundles a vulnerable apache-log4j2 version.
I did not check stable yet, but I'm pretty sure it is affected too. I'd put the jar file in question on the blacklist and hence remove it from the package. Would this be OK?
Did you check oldstable yet? Hilmar -- sigfault
OpenPGP_signature
Description: OpenPGP digital signature
