Log4j Security Vulnerability and Fedora

13 views

Skip to first unread message

bse...@jhu.edu

unread,

Dec 14, 2021, 10:42:40 AM12/14/21

to Fedora Community

Hello Everyone,

In light of the security vulnerability recently identified in the Java library Log4j [1], a number of folks looked through the Fedora code.

We have determined that Fedora versions 3, 4, 5, and 6 do _not_ use Log4j and are not susceptible to the vulnerability. They all use Logback as their logging implementation, and explicitly exclude log4j dependencies.

There is one test dependency on log4j, but it is not present in any deployments and is not a version impacted by the vulnerability.

If you have any questions or concerns, please feel free to reach out to us via the Fedora email list or our Slack group [2].

Best,

Bethany Seeger

On behalf of the Fedora Committers

[1] https://www.lunasec.io/docs/blog/log4j-zero-day/

[2] https://wiki.lyrasis.org/display/FF/Mailing+Lists+etc

west...@umd.edu

unread,

Dec 14, 2021, 1:28:40 PM12/14/21

to Fedora Community

Thanks Bethany (and everyone who contributed to verifying this)! //Josh

Reply all

Reply to author

Forward

0 new messages