Package: texlive-extra-utils Severity: grave Version: 2021.20211127-1 Tags: security
texlive-extra-utils contains arara (https://github.com/islandoftex/arara) which was updated two days ago via TeX Live (https://www.tug.org/texlive/) which was updated slightly after that. Please update to the newest TeX Live ASAP, as arara in unstable and testing (also stable?) currently bundles a vulnerable apache-log4j2 version. The alternative would be to remove the JndiLookup.class file from the relevant .jar - This causes a warning but otherwise doesn't affect execution and seems to properly avoid the vulnerabilities in CVE-2021-45046 and CVE-2021-44228
