Bug 2039492

Summary: arara embeds a vulnerable version of log4j
Product: [Fedora] Fedora Reporter: Ben Webb <ben>
Component: texlive-baseAssignee: Tom "spot" Callaway <spotrh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 35CC: spotrh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: texlive-base-20210325-44.fc35 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-20 14:53:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ben Webb 2022-01-11 19:08:05 UTC 
Description of problem:
The 'arara' tool bundles a vulnerable version (2.14.1) of log4j.

While this probably doesn't make arara any more vulnerable to untrusted .tex files that it is already, it's probably a good idea to replace this vulnerable version of log4j. (If nothing else, it removes a false positive from scans for log4j exploits.)

Version-Release number of selected component (if applicable):
texlive-arara-20210325-40.fc35.noarch.rpm

How reproducible:
Always


Steps to Reproduce:
1. unzip -q -c /usr/share/texlive/texmf-dist/scripts/arara/arara.jar META-INF/maven/org.apache.logging.log4j/log4j-api/pom.xml|grep -A 3 org.apache.logging.log4j|head -4

Actual results:
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>2.14.1</version>
    <relativePath>../</relativePath>


Expected results:
log4j should be newer than 2.14.1, probably 2.17.1.

Additional info:
Looks like upstream already fixed this, so it should be as simple as just an update:
https://gitlab.com/islandoftex/arara/-/issues/77
Comment 1 Fedora Update System 2022-01-12 23:18:09 UTC 
FEDORA-2022-639b9d2b85 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-639b9d2b85
Comment 2 Fedora Update System 2022-01-13 01:12:12 UTC 
FEDORA-2022-639b9d2b85 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-639b9d2b85`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-639b9d2b85

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2022-01-20 14:53:19 UTC 
FEDORA-2022-639b9d2b85 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.