For any customers concerned about log4j or Spring4Shell.

Post by **bbadmin** » Mon Apr 04, 2022 3:26 pm

For any customers concerned about log4j or Spring4Shell vulnerability, we can confirm that neither TextPad nor our website uses log4j or Spring4Shell.

Post by **AmigoJack** » Tue Apr 05, 2022 12:41 pm

Associating Java with this product feels like asking if animals were harmed during the production: chances are so off that questioning it can only be reasoned by i.e. panic.

What is a bit more concerning: in 2022-03-25 a threat in ZLIB was discovered and every implementation after 1.2.2.1 and before 1.2.12 is affected. The ZLIB compression is used in i.e. PNG and HTTP and ZIP - everything that uses DEFLATE. Could you please check for that, too? I'm not expecting it to be in TextPad, tho. See:
https://cve.mitre.org/cgi-bin/cvename.c ... 2018-25032
https://github.com/madler/zlib/blob/mas ... geLog#L784
https://en.wikipedia.org/wiki/Zlib

Post by **AmigoJack** » Mon May 16, 2022 9:04 am

Bumping.

Post by **bbadmin** » Mon Oct 10, 2022 5:22 pm

Sorry, missed this the first time around.

TextPad does use zlib, but only to load the PNG buttons for its toolbars. Hence it calls inflate, but not deflate to which the CVE applies.

Interestingly, as of 16th September, this vulnerability has been modified and is currently undergoing reanalysis. See https://nvd.nist.gov/vuln/detail/CVE-2018-25032