Even though I’m an end-user on a desktop and am not exposed publicly to log4j exploitation, I wanted to assess my current mitigation against the vulnerability. I’ve already installed the log4j update from bodhi, but I know that many applications ship with their own, standalone version of log4j.
Therefore, I made a system-wide filesystem scan to list all files related to log4j. In that list, I also saw the following files:
According to the timestamps, these files were not updated with the log4j patch. A
$dnf provides lookup showed that these files belong to the package
So, my question is, if that package also requires an update? I don’t think it does, but I wanted to assure that I’m not wrong on this.
Stay safe and up to date. And a big heart to all administrators and security professionals who have to deal with this just before Christmas. They generally don’t get enough gratitude for their work.