Bug 29915

Summary: texlive security issues due to embedded log4j
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Marc Krämer <mageia>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: texlive-20210325-3.mga9.src.rpm CVE:
Status comment: Patch available from Fedora

Description David Walser 2022-01-20 20:05:49 CET 
Fedora has issued an advisory today (January 20):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQVHB5NDIZBYQOOR27366WCAOCDOXUI3/

Mageia 8 may also be affected.
David Walser 2022-01-20 20:06:06 CET

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-01-20 20:21:29 CET 
Assigning this to SRPM packager MarcK.

Assignee: bugsquad => mageia

Comment 2 Marc Krämer 2022-01-21 11:09:11 CET 
like fedora says, it is not very likely this will/can be exploited.
As this is just a tool running on command line to automate compile of tex. It is not worth patching this for mga8.
Comment 3 Marc Krämer 2022-01-21 11:16:14 CET 
checked mga8: no log4j; logback is used here.
Marc Krämer 2022-01-21 11:16:19 CET

Whiteboard: MGA8TOO => (none)

Comment 4 Marc Krämer 2023-09-07 21:09:52 CEST 
no need to fix this.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED