Bug 2137790

Summary: log4j contains glyphicons with unacceptable licenses [fedora-all]
Product: [Fedora] Fedora Reporter: Marián Konček <mkoncek>
Component: log4jAssignee: Marián Konček <mkoncek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: dbhole, devrim, java-sig-commits, mizdebsk, paul.wouters
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: log4j-2.17.2-4.fc37 log4j-2.17.2-2.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-30 00:31:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marián Konček 2022-10-26 08:12:42 UTC 
See: https://pagure.io/releng/issue/11083

Log4j versions 2.13 and later started including glyphicons.zip file (used for building the project website, not needed for package build) and additional png files. These files are present in Fedora source rpms. However, they are not required for the package build.
Comment 1 Marián Konček 2022-10-26 08:26:06 UTC 
Fixed in Rawhide by PRs:
https://src.fedoraproject.org/rpms/log4j/pull-request/16
https://src.fedoraproject.org/rpms/log4j/pull-request/17

In Fedora 37:
https://src.fedoraproject.org/rpms/log4j/pull-request/20

In Fedora 36:
https://src.fedoraproject.org/rpms/log4j/pull-request/19

In Fedora 35:
https://src.fedoraproject.org/rpms/log4j/pull-request/18
Comment 2 Marián Konček 2022-10-26 08:32:29 UTC 
According to the license, we are not allowed to distribute the aforementioned files.
The glyphicons zip archive and png files have to be removed from the source rpm of log4j.
Comment 3 Fedora Update System 2022-12-21 06:40:25 UTC 
FEDORA-2022-174713e43f has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-174713e43f
Comment 4 Fedora Update System 2022-12-21 06:40:48 UTC 
FEDORA-2022-62c1c8536b has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-62c1c8536b
Comment 5 Fedora Update System 2022-12-22 01:16:57 UTC 
FEDORA-2022-62c1c8536b has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-62c1c8536b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-62c1c8536b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2022-12-22 01:40:37 UTC 
FEDORA-2022-174713e43f has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-174713e43f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-174713e43f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2022-12-30 00:31:02 UTC 
FEDORA-2022-174713e43f has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2022-12-30 01:34:40 UTC 
FEDORA-2022-62c1c8536b has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.