Hi all. I note the new release with the fix for the Latex vuln. The workaround, ahead of upgrading, is to clear/unset the XELATEX_PATH env var and restart. Does anyone know what the effect would be of simply renaming the target of that env var, so Indico can not access it?
Clearly this would be entirely temporary, but would mean some protection, ahead of scheduling the restart.
Thanks
XELATEX_PATH is not an env var, it’s an indico.conf setting. So just comment it out. It will only disable LaTeX functionality (e.g. building book of abstracts or contribution pdfs), so there’s a good chance that people won’t even notice it’s missing.
Thanks for the reply. Do you mean that commenting it out, without a restart of Indico’s services, is sufficient? I will be scheduling a restart anyway, after unsetting the conf setting. What I was wondering, though, was, in advance of that, can I just move the file that the conf setting points at, to prevent it being used?
You need to restart indico-uwsgi.service. This does not cause any noticeable disruption, it’s a matter of a few seconds at most. It is not possible to change the config without a restart.
But yes, chmod -x ... on the xelatex binary should also work (or anything else such as removing/renaminbg it). Not what I’d recommend though, since a restart is really not much of an issue. And you will get errors in your indico log for any attempted LaTeX build if the binary is not callable…
Thanks for the extra insight. As you mentioned, the restart is quick anyway, so we went ahead with that.