Hey folks, If you haven't heard abt the log4j vuln from Friday yet, I envy you and def want to know how you managed to do that.
For folks who develop Java-backed packages, pls be aware there's an arbitrary code execution issue with log4j v2 <= 2.15.0 (NOTE log4j v1 1.x are not impacted). Thanks to a q by Sir Leeper, I've scanned all of CRAN with — https://github.com/mergebase/log4j-detector — (and looked for the log4j v2 jar directly) and it's all good, but wanted to let folks know abt that tool and suggest that you run that in new packages or if you update your old ones. The odds of any R environment being impacted by this vulnerability were super slim (to almost none) to begin with and — if the tool is accurate — it's 0. This is a technical but rly good Reddit thread on the log4j issue if folks want some bedtime reading: https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/ -boB ______________________________________________ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel