[OS X TeX] log4j use in MacTeX 2021
Gerben Wierda via MacOSX-TeX
macosx-tex at email.esm.psu.edu
Sat Dec 25 01:07:41 CET 2021
The CAST tool form Crowdstrike marks /usr/local/texlive/2021/texmf-dist/scripts/arara as something that contains the use of a vulnerable log4j implementation. Many of these lines appear.
{"container":"/usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar","member":{"path":"/org/apache/logging/log4j/core/async/JCToolsBlockingQueueFactory$MpscBlockingQueue.class","size":4286,"modified":"2020-11-06T14:03:10Z"},"sha256":"1469023e000dd3d44faf1e221990ac41f0f7921f72adb0c8e9cc6176fc912640"}
Maybe best to remove it. I did. In Terminal (use at your own risk and especially do not enter any spaces in the command below that aren’t there already, copy paste will be correct):
sudo rm -rf /usr/local/texlive/2021/texmf-dist/scripts/arara
Basically, I don’t know if using array may mean there is a vulnerability (probably not) but as I am strapped for time and I don’t need array, this was th quick and dirty way to get rid of the positive.
Tool used for scanning: https://github.com/CrowdStrike/CAST/releases
Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
R&A IT Strategy <https://ea.rna.nl/> (main site)
Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/macostex-archives/attachments/20211225/7272e14b/attachment.html>
-------------- next part --------------
----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/TeX/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
More information about the macostex-archives
mailing list.