Page 1 of 1
For any customers concerned about log4j or Spring4Shell.
Posted: Mon Apr 04, 2022 3:26 pm
by bbadmin
For any customers concerned about log4j or Spring4Shell vulnerability, we can confirm that neither TextPad nor our website uses log4j or Spring4Shell.
Posted: Tue Apr 05, 2022 12:41 pm
by AmigoJack
Associating Java with this product feels like asking if animals were harmed during the production: chances are so off that questioning it can only be reasoned by i.e. panic.
What is a bit more concerning: in 2022-03-25 a threat in ZLIB was discovered and every implementation after 1.2.2.1 and before 1.2.12 is affected. The ZLIB compression is used in i.e. PNG and HTTP and ZIP - everything that uses DEFLATE. Could you please check for that, too? I'm not expecting it to be in TextPad, tho. See:
https://cve.mitre.org/cgi-bin/cvename.c ... 2018-25032
https://github.com/madler/zlib/blob/mas ... geLog#L784
https://en.wikipedia.org/wiki/Zlib
Posted: Mon May 16, 2022 9:04 am
by AmigoJack
Bumping.
Posted: Mon Oct 10, 2022 5:22 pm
by bbadmin
Sorry, missed this the first time around.
TextPad does use zlib, but only to load the PNG buttons for its toolbars. Hence it calls inflate, but not deflate to which the CVE applies.
Interestingly, as of 16th September, this vulnerability has been modified and is currently undergoing reanalysis. See
https://nvd.nist.gov/vuln/detail/CVE-2018-25032