
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">


<br class="">


<div>Folks,</div>


<div><br class="">


</div>


<div>See</div>


<div><br class="">


</div>


<div><span class="Apple-tab-span" style="white-space:pre"></span><a href="https://gitlab.com/islandoftex/arara/-/releases" class="">https://gitlab.com/islandoftex/arara/-/releases</a></div>


<div><br class="">


</div>


<div>for release 6.1.5 of arara. Paulo Cereda writes</div>


<div><br class="">


</div>


<div>"<span style="font-family: -webkit-standard; font-size: medium;" class="">Yet another </span><code class="">log4j</code><span style="font-family: -webkit-standard; font-size: medium;" class=""> vulnerability was found (</span><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105" rel="nofollow noreferrer noopener" class="">CVE-2021-45105</a><span style="font-family: -webkit-standard; font-size: medium;" class="">),


 and it affects the library version (2.16.0) we use in </span><code class="">arara</code><span style="font-family: -webkit-standard; font-size: medium;" class="">6.1.4. Although there's no attack vector for us (as we do not rely on thread context maps), it's


 wise to bump dependencies once again and issue a patch release. It's been reported that </span><code class="">log4j</code><span style="font-family: -webkit-standard; font-size: medium;" class=""> 2.17.0 fixes this vulnerability."</span></div>


<div><br class="">


</div>


<div>and the latest release says</div>


<div><br class="">


</div>


<div><span class="Apple-tab-span" style="white-space:pre"></span><span style="font-family: -webkit-standard; font-size: medium;" class="">Fixed shipping a vulnerable </span><code class="">log4j</code><span style="font-family: -webkit-standard; font-size: medium;" class=""> version.</span></div>


<div><br class="">


</div>


<div>It is important, of course, to get this into TeX Live rapidly, and until that happens users should pay attention to Gerben's warning.</div>


<div><br class="">


</div>


<div>Richard Koch </div>


<div><br class="">


</div>


<div><span class="Apple-tab-span" style="white-space:pre"></span><br class="">


<blockquote type="cite" class="">


<div class="">On Dec 24, 2021, at 6:28 PM, Herbert Schulz <<a href="mailto:herbs@wideopenwest.com" class="">herbs@wideopenwest.com</a>> wrote:</div>


<br class="Apple-interchange-newline">


<div class="">


<div class=""><br class="">


<br class="">


<blockquote type="cite" class="">On Dec 24, 2021, at 6:07 PM, Gerben Wierda via MacOSX-TeX <<a href="mailto:macosx-tex@email.esm.psu.edu" class="">macosx-tex@email.esm.psu.edu</a>> wrote:<br class="">


<br class="">


The CAST tool form Crowdstrike marks /usr/local/texlive/2021/texmf-dist/scripts/arara as something that contains the use of a vulnerable log4j  implementation. Many of these lines appear.<br class="">


<br class="">


{"container":"/usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar","member":{"path":"/org/apache/logging/log4j/core/async/JCToolsBlockingQueueFactory$MpscBlockingQueue.class","size":4286,"modified":"2020-11-06T14:03:10Z"},"sha256":"1469023e000dd3d44faf1e221990ac41f0f7921f72adb0c8e9cc6176fc912640"}<br class="">


<br class="">


Maybe best to remove it. I did. In Terminal (use at your own risk and especially do not enter any spaces in the command below that aren’t there already, copy paste will be correct):<br class="">


<br class="">


sudo rm -rf /usr/local/texlive/2021/texmf-dist/scripts/arara<br class="">


<br class="">


Basically, I don’t know if using array may mean there is a vulnerability (probably not) but as I am strapped for time and I don’t need array, this was th quick and dirty way to get rid of the positive.<br class="">


<br class="">


Tool used for scanning: <a href="https://github.com/CrowdStrike/CAST/releases" class="">


https://github.com/CrowdStrike/CAST/releases</a><br class="">


<br class="">


Gerben Wierda (LinkedIn)<br class="">


R&A IT Strategy (main site)<br class="">


Book: Chess and the Art of Enterprise Architecture<br class="">


Book: Mastering ArchiMate<br class="">


</blockquote>


<br class="">


Howdy.<br class="">


<br class="">


Arara is, in the end, a Java application (please, not the same as Java-Script) which is subject to the (major) log4 bug. I'm not sure how many Java applications are used in TeX Live.<br class="">


<br class="">


Good Luck,<br class="">


<br class="">


Herb Schulz<br class="">


<a href="mailto:herbs@wideopenwest.com" class="">herbs@wideopenwest.com</a><br class="">


<br class="">


<br class="">


----------- Please Consult the Following Before Posting -----------<br class="">


TeX FAQ: http://www.tex.ac.uk/faq<br class="">


List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/TeX/<br class="">


List Archives: http://dir.gmane.org/gmane.comp.tex.macosx<br class="">


               https://email.esm.psu.edu/pipermail/macosx-tex/<br class="">


TeX on Mac OS X Website: http://mactex-wiki.tug.org/<br class="">


List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex<br class="">


</div>


</div>


</blockquote>


</div>


<br class="">


</body>


</html>