[OS X TeX] log4j use in MacTeX 2021
Herbert Schulz
herbs at wideopenwest.com
Fri Dec 24 21:17:56 EST 2021
The CAST tool form Crowdstrike marks /usr/local/texlive/2021/texmf-dist/scripts/arara as something that contains the use of a vulnerable log4j implementation. Many of these lines appear.
{"container":"/usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar","member":{"path":"/org/apache/logging/log4j/core/async/JCToolsBlockingQueueFactory$MpscBlockingQueue.class","size":4286,"modified":"2020-11-06T14:03:10Z"},"sha256":"1469023e000dd3d44faf1e221990ac41f0f7921f72adb0c8e9cc6176fc912640"}
Maybe best to remove it. I did. In Terminal (use at your own risk and especially do not enter any spaces in the command below that aren’t there already, copy paste will be correct):
sudo rm -rf /usr/local/texlive/2021/texmf-dist/scripts/arara
Basically, I don’t know if using array may mean there is a vulnerability (probably not) but as I am strapped for time and I don’t need array, this was th quick and dirty way to get rid of the positive.
Tool used for scanning: https://github.com/CrowdStrike/CAST/releases <https://github.com/CrowdStrike/CAST/releases>
Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
R&A IT Strategy <https://ea.rna.nl/> (main site)
Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>
----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/TeX/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://email.esm.psu.edu/pipermail/macosx-tex/attachments/20211224/b862b70a/attachment.htm>
More information about the MacOSX-TeX
mailing list