Log4j vulnerability

Hey, does anyone know if FreedomBox is/was vulnerable to the log4j vuln, and if it’s been patched in the latest update?

If patched, what is the version we should be on to ensure we are running the patched version of log4j?

According to the Debian Security Advisory, the affected package is apache-log4j2. I don’t see that package listed as a FreedomBox dependency, nor do I see it installed on my FreedomBox (Pioneer Edition). I don’t have all FreedomBox applications installed, though, and I suppose some application or other could pull it in. From the Security Advisory, referring to apache-log4j2:

For the oldstable distribution (buster), this problem has been fixed in version 2.15.0-1~deb10u1.

For the stable distribution (bullseye), this problem has been fixed in version 2.15.0-1~deb11u1.

As far as I know, i2p is the only Java application on FreedomBox. However, it’s currently not available for install on FreedomBox stable.

I cannot find anything related to i2p in the reverse dependencies of the package liblog4j2-java.

If the package liblog4j2-java is somehow installed on a FreedomBox, unattended-upgrades (if not disabled) should’ve upgraded it to the latest version (2.17.0) by now.

Update: I installed i2p on FreedomBox testing. It doesn’t install liblog4j2-java as a dependency.