<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">The really serious issue has been solved in log4j 2.16.0. After close scrutiny which naturally followed some more convoluted vulnerabilities have been found which are/will be fixed in 2.17.0.<div class=""><br class=""><div class="">
<div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div><div class="">Gerben Wierda (<a href="https://www.linkedin.com/in/gerbenwierda" class="">LinkedIn</a>)</div><div class=""><a href="https://ea.rna.nl/" class="">R&A IT Strategy</a> (main site)<br class="">Book: <a href="https://ea.rna.nl/the-book/" class="">Chess and the Art of Enterprise Architecture</a><br class="">Book: <a href="https://ea.rna.nl/the-book-edition-iii/" class="">Mastering ArchiMate</a><br class=""></div></div></div></div></div></div></div></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 25 Dec 2021, at 04:03, Richard Koch <<a href="mailto:koch@uoregon.edu" class="">koch@uoregon.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">

<div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<br class="">
<div class="">Folks,</div>
<div class=""><br class="">
</div>
<div class="">See</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><a href="https://gitlab.com/islandoftex/arara/-/releases" class="">https://gitlab.com/islandoftex/arara/-/releases</a></div>
<div class=""><br class="">
</div>
<div class="">for release 6.1.5 of arara. Paulo Cereda writes</div>
<div class=""><br class="">
</div>
<div class="">"<span style="font-family: -webkit-standard; font-size: inherit;" class="">Yet another </span><code class="">log4j</code><span style="font-family: -webkit-standard; font-size: inherit;" class=""> vulnerability was found (</span><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105" rel="nofollow noreferrer noopener" class="">CVE-2021-45105</a><span style="font-family: -webkit-standard; font-size: inherit;" class="">),
 and it affects the library version (2.16.0) we use in </span><code class="">arara</code><span style="font-family: -webkit-standard; font-size: inherit;" class="">6.1.4. Although there's no attack vector for us (as we do not rely on thread context maps), it's
 wise to bump dependencies once again and issue a patch release. It's been reported that </span><code class="">log4j</code><span style="font-family: -webkit-standard; font-size: inherit;" class=""> 2.17.0 fixes this vulnerability."</span></div>
<div class=""><br class="">
</div>
<div class="">and the latest release says</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><span style="font-family: -webkit-standard; font-size: inherit;" class="">Fixed shipping a vulnerable </span><code class="">log4j</code><span style="font-family: -webkit-standard; font-size: inherit;" class=""> version.</span></div>
<div class=""><br class="">
</div>
<div class="">It is important, of course, to get this into TeX Live rapidly, and until that happens users should pay attention to Gerben's warning.</div>
<div class=""><br class="">
</div>
<div class="">Richard Koch </div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><br class="">
<blockquote type="cite" class="">
<div class="">On Dec 24, 2021, at 6:28 PM, Herbert Schulz <<a href="mailto:herbs@wideopenwest.com" class="">herbs@wideopenwest.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class=""><br class="">
<br class="">
<blockquote type="cite" class="">On Dec 24, 2021, at 6:07 PM, Gerben Wierda via MacOSX-TeX <<a href="mailto:macosx-tex@email.esm.psu.edu" class="">macosx-tex@email.esm.psu.edu</a>> wrote:<br class="">
<br class="">
The CAST tool form Crowdstrike marks /usr/local/texlive/2021/texmf-dist/scripts/arara as something that contains the use of a vulnerable log4j  implementation. Many of these lines appear.<br class="">
<br class="">
{"container":"/usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar","member":{"path":"/org/apache/logging/log4j/core/async/JCToolsBlockingQueueFactory$MpscBlockingQueue.class","size":4286,"modified":"2020-11-06T14:03:10Z"},"sha256":"1469023e000dd3d44faf1e221990ac41f0f7921f72adb0c8e9cc6176fc912640"}<br class="">
<br class="">
Maybe best to remove it. I did. In Terminal (use at your own risk and especially do not enter any spaces in the command below that aren’t there already, copy paste will be correct):<br class="">
<br class="">
sudo rm -rf /usr/local/texlive/2021/texmf-dist/scripts/arara<br class="">
<br class="">
Basically, I don’t know if using array may mean there is a vulnerability (probably not) but as I am strapped for time and I don’t need array, this was th quick and dirty way to get rid of the positive.<br class="">
<br class="">
Tool used for scanning: <a href="https://github.com/CrowdStrike/CAST/releases" class="">
https://github.com/CrowdStrike/CAST/releases</a><br class="">
<br class="">
Gerben Wierda (LinkedIn)<br class="">
R&A IT Strategy (main site)<br class="">
Book: Chess and the Art of Enterprise Architecture<br class="">
Book: Mastering ArchiMate<br class="">
</blockquote>
<br class="">
Howdy.<br class="">
<br class="">
Arara is, in the end, a Java application (please, not the same as Java-Script) which is subject to the (major) log4 bug. I'm not sure how many Java applications are used in TeX Live.<br class="">
<br class="">
Good Luck,<br class="">
<br class="">
Herb Schulz<br class="">
<a href="mailto:herbs@wideopenwest.com" class="">herbs@wideopenwest.com</a><br class="">
<br class="">
<br class="">
----------- Please Consult the Following Before Posting -----------<br class="">
TeX FAQ: <a href="http://www.tex.ac.uk/faq" class="">http://www.tex.ac.uk/faq</a><br class="">
List Reminders and Etiquette: <a href="https://sites.esm.psu.edu/~gray/TeX/" class="">https://sites.esm.psu.edu/~gray/TeX/</a><br class="">
List Archives: <a href="http://dir.gmane.org/gmane.comp.tex.macosx" class="">http://dir.gmane.org/gmane.comp.tex.macosx</a><br class="">
               <a href="https://email.esm.psu.edu/pipermail/macosx-tex/" class="">https://email.esm.psu.edu/pipermail/macosx-tex/</a><br class="">
TeX on Mac OS X Website: <a href="http://mactex-wiki.tug.org/" class="">http://mactex-wiki.tug.org/</a><br class="">
List Info: <a href="https://email.esm.psu.edu/mailman/listinfo/macosx-tex" class="">https://email.esm.psu.edu/mailman/listinfo/macosx-tex</a><br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>

----------- Please Consult the Following Before Posting -----------<br class="">TeX FAQ: <a href="http://www.tex.ac.uk/faq" class="">http://www.tex.ac.uk/faq</a><br class="">List Reminders and Etiquette: <a href="https://sites.esm.psu.edu/~gray/TeX/" class="">https://sites.esm.psu.edu/~gray/TeX/</a><br class="">List Archives: <a href="http://dir.gmane.org/gmane.comp.tex.macosx" class="">http://dir.gmane.org/gmane.comp.tex.macosx</a><br class="">                <a href="https://email.esm.psu.edu/pipermail/macosx-tex/" class="">https://email.esm.psu.edu/pipermail/macosx-tex/</a><br class="">TeX on Mac OS X Website: <a href="http://mactex-wiki.tug.org/" class="">http://mactex-wiki.tug.org/</a><br class="">List Info: <a href="https://email.esm.psu.edu/mailman/listinfo/macosx-tex" class="">https://email.esm.psu.edu/mailman/listinfo/macosx-tex</a><br class=""></div></blockquote></div><br class=""></div></body></html>