<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Thank you for posting!<div class=""><br class=""></div><div class="">Please see <a href="https://github.com/macports/macports-ports/pull/13353" class="">https://github.com/macports/macports-ports/pull/13353</a>.<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Dec 14, 2021, at 6:47 PM, Nils Breunese <<a href="mailto:nils@breun.nl" class="">nils@breun.nl</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta charset="UTF-8" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">A couple of hours ago<span class="Apple-converted-space"> </span></span><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046" style="font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046</a><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 24px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class=""><span class="Apple-converted-space"> </span>was made public, which states that the previous mitigations of upgrading to Log4J 2.15.0 or setting system/environment properties is longer enough. The recommended solution is upgrading to Log4J 2.16.0. If that is not possible, it is recommended to at least remove the JndiLookup class from the log4j-core JAR (e.g. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).</span></div></blockquote></div><br class=""></div></body></html>