Significant security vulnerability discovered in Log4j

Joshua Root jmr at
Sun Dec 12 09:57:14 UTC 2021

On 2021-12-12 20:02 , Nils Breunese wrote:
> It could be the case the MacPorts has ports for Java-based applications that include a vulnerable version of the Log4J library. A port that includes a file called log4j-$version.jar with $version in the range 2.0.0-2.14.1 could be vulnerable. This file could also be ‘hidden’ inside a compressed archive, like a .war file (basically a zip file). I’m not sure how we could check all ports for this without installing all of them.

Not all ports have installed file information available, but the web app 
can search the ones that do:


- Josh

More information about the macports-dev mailing list