Log4J Security Vulnerability and Fedora

27 views

Skip to first unread message

bse...@jhu.edu

unread,

Dec 14, 2021, 11:15:58 AM12/14/21

to Fedora Tech

Hello Everyone,

In light of the security vulnerability recently identified in the Java library Log4j [1], a number of folks looked through the Fedora code.

We have determined that Fedora versions 3, 4, 5, and 6 do not use log4j and are not susceptible to the vulnerability. They all use Logback as their logging implementation, and explicitly exclude log4j dependencies.

There is one test dependency on log4j, but it is not present in any deployments and is not a version impacted by the vulnerability.

If you have any questions or concerns, please feel free to reach out to us via the Fedora email list or our Slack group [2].

Best,

Bethany Seeger

On behalf of the Fedora Committers

[1] https://www.lunasec.io/docs/blog/log4j-zero-day/

[2] https://wiki.lyrasis.org/display/FF/Mailing+Lists+etc

Daniel Bernstein

unread,

Dec 14, 2021, 11:17:14 AM12/14/21

to Fedora Tech

Thank you for calling this out Bethany.

Reply all

Reply to author

Forward

0 new messages