Bug#1001785: texlive-extra affected by log4j CVEs
Hi Hilmar. I'm on vacation and don't currently have access to a computer other than my mobile phone. Anyhow, your command to check for the vulnerable class looks right to me. No clue when the relevant class started being included in Arara and TeX live. Cheers, Sven Hilmar Preuße schrieb am Sa., 18. Dez. 2021, 14:47: > Am 16.12.2021 um 09:38 teilte Sven Mueller mit: > > Hi Sven, hi Norbert, > > > texlive-extra-utils contains arara (https://github.com/islandoftex/arara > ) > > which was updated two days ago via TeX Live ( > https://www.tug.org/texlive/) > > which was updated slightly after that. Please update to the newest TeX > Live > > ASAP, as arara in unstable and testing (also stable?) currently bundles a > > vulnerable apache-log4j2 version. > > > According to my knowledge the arara.jar from stable does not contain the > java class in question: > > hille@sid:~/TL_1 $ unzip -l arara.jar |grep -i lookup|grep -i jndi > hille@sid:~/TL_1 $ > > hille@sid:~/TL_1 $ unzip -l arara_sid.jar |grep -i lookup|grep -i jndi > 2937 2021-12-12 23:41 > org/apache/logging/log4j/core/lookup/JndiLookup.class > > So stable is not affected. Could anybody confirm? > > Hilmar > -- > sigfault > >
Bug#1001785: texlive-extra affected by log4j CVEs
Am 16.12.2021 um 09:38 teilte Sven Mueller mit: Hi Sven, hi Norbert, texlive-extra-utils contains arara (https://github.com/islandoftex/arara) which was updated two days ago via TeX Live (https://www.tug.org/texlive/) which was updated slightly after that. Please update to the newest TeX Live ASAP, as arara in unstable and testing (also stable?) currently bundles a vulnerable apache-log4j2 version. According to my knowledge the arara.jar from stable does not contain the java class in question: hille@sid:~/TL_1 $ unzip -l arara.jar |grep -i lookup|grep -i jndi hille@sid:~/TL_1 $ hille@sid:~/TL_1 $ unzip -l arara_sid.jar |grep -i lookup|grep -i jndi 2937 2021-12-12 23:41 org/apache/logging/log4j/core/lookup/JndiLookup.class So stable is not affected. Could anybody confirm? Hilmar -- sigfault OpenPGP_signature Description: OpenPGP digital signature
Bug#1001785: texlive-extra affected by log4j CVEs
Am 16.12.2021 um 09:38 teilte Sven Mueller mit: Hi, texlive-extra-utils contains arara (https://github.com/islandoftex/arara) which was updated two days ago via TeX Live (https://www.tug.org/texlive/) which was updated slightly after that. Please update to the newest TeX Live ASAP, as arara in unstable and testing (also stable?) currently bundles a vulnerable apache-log4j2 version. For unstable / testing I'll simply push a new CTAN snapshot to the archive. Should not be that hard. I did not check stable yet, but I'm pretty sure it is affected too. I'd put the jar file in question on the blacklist and hence remove it from the package. Would this be OK? Did you check oldstable yet? Hilmar -- sigfault OpenPGP_signature Description: OpenPGP digital signature
Bug#1001785: texlive-extra affected by log4j CVEs
Package: texlive-extra-utils Severity: grave Version: 2021.20211127-1 Tags: security texlive-extra-utils contains arara (https://github.com/islandoftex/arara) which was updated two days ago via TeX Live (https://www.tug.org/texlive/) which was updated slightly after that. Please update to the newest TeX Live ASAP, as arara in unstable and testing (also stable?) currently bundles a vulnerable apache-log4j2 version. The alternative would be to remove the JndiLookup.class file from the relevant .jar - This causes a warning but otherwise doesn't affect execution and seems to properly avoid the vulnerabilities in CVE-2021-45046 and CVE-2021-44228
