Hello Everyone,
In light of the security vulnerability recently identified in the Java library Log4j [1], a number of folks looked through the Fedora code.
We have determined that Fedora versions 3, 4, 5, and 6 do not use log4j and are not susceptible to the vulnerability. They all use Logback as their logging implementation, and explicitly exclude log4j dependencies.
There is one test dependency on log4j, but it is not present in any deployments and is not a version impacted by the vulnerability.
If you have any questions or concerns, please feel free to reach out to us via the Fedora email list or our Slack group [2].
Best,
Bethany Seeger
On behalf of the Fedora Committers
[1] https://www.lunasec.io/docs/blog/log4j-zero-day/
[2] https://wiki.lyrasis.org/display/FF/Mailing+Lists+etc