For any customers concerned about log4j or Spring4Shell.

General questions about using TextPad

Moderators: AmigoJack, bbadmin, helios, Bob Hansen, MudGuard

Post Reply
User avatar
bbadmin
Site Admin
Posts: 808
Joined: Mon Feb 17, 2003 8:54 pm
Contact:

For any customers concerned about log4j or Spring4Shell.

Post by bbadmin »

For any customers concerned about log4j or Spring4Shell vulnerability, we can confirm that neither TextPad nor our website uses log4j or Spring4Shell.
User avatar
AmigoJack
Posts: 490
Joined: Sun Oct 30, 2016 4:28 pm
Location: グリーン ヒル ゾーン
Contact:

Post by AmigoJack »

Associating Java with this product feels like asking if animals were harmed during the production: chances are so off that questioning it can only be reasoned by i.e. panic.

What is a bit more concerning: in 2022-03-25 a threat in ZLIB was discovered and every implementation after 1.2.2.1 and before 1.2.12 is affected. The ZLIB compression is used in i.e. PNG and HTTP and ZIP - everything that uses DEFLATE. Could you please check for that, too? I'm not expecting it to be in TextPad, tho. See:
https://cve.mitre.org/cgi-bin/cvename.c ... 2018-25032
https://github.com/madler/zlib/blob/mas ... geLog#L784
https://en.wikipedia.org/wiki/Zlib
User avatar
AmigoJack
Posts: 490
Joined: Sun Oct 30, 2016 4:28 pm
Location: グリーン ヒル ゾーン
Contact:

Post by AmigoJack »

Bumping.
User avatar
bbadmin
Site Admin
Posts: 808
Joined: Mon Feb 17, 2003 8:54 pm
Contact:

Post by bbadmin »

Sorry, missed this the first time around.

TextPad does use zlib, but only to load the PNG buttons for its toolbars. Hence it calls inflate, but not deflate to which the CVE applies.

Interestingly, as of 16th September, this vulnerability has been modified and is currently undergoing reanalysis. See https://nvd.nist.gov/vuln/detail/CVE-2018-25032
Post Reply