What is the state of log4j / log4shell in other Fedora-shipped packages?


Even though I’m an end-user on a desktop and am not exposed publicly to log4j exploitation, I wanted to assess my current mitigation against the vulnerability. I’ve already installed the log4j update from bodhi, but I know that many applications ship with their own, standalone version of log4j.

Therefore, I made a system-wide filesystem scan to list all files related to log4j. In that list, I also saw the following files:


According to the timestamps, these files were not updated with the log4j patch. A $dnf provides lookup showed that these files belong to the package ant-apache-log4j-1.10.9-2.fc34.noarch.

So, my question is, if that package also requires an update? I don’t think it does, but I wanted to assure that I’m not wrong on this.

Thank you!
Stay safe and up to date. And a big heart to all administrators and security professionals who have to deal with this just before Christmas. They generally don’t get enough gratitude for their work.

(edit: grammar)