Significant security vulnerability discovered in Log4j

Steven Smith steve.t.smith at gmail.com
Mon Dec 13 03:43:56 UTC 2021


Please see https://github.com/macports/macports-ports/pull/13331

> On Dec 12, 2021, at 7:36 AM, Nils Breunese <nils at breun.nl> wrote:
> 
> 2. elasticsearch 7.15.2_0 includes log4j-core-2.11.1.jar, which is a vulnerable version of Log4J 2.x
> 
> https://github.com/elastic/elasticsearch/issues/81618 <https://github.com/elastic/elasticsearch/issues/81618> says: "This can be mitigated for the time being by adding -Dlog4j2.formatMsgNoLookups=true to ES_JAVA_OPTS". I think I’d add -Dlog4j2.formatMsgNoLookups=true in /opt/local/etc/elasticsearch/jvm.options, or add ES_JAVA_OPTS="$ES_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true" at the end of /opt/local/bin/elasticsearch-env.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20211212/51b176b5/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3898 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20211212/51b176b5/attachment.bin>


More information about the macports-dev mailing list