Significant security vulnerability discovered in Log4j

Nils Breunese nils at
Tue Dec 14 23:47:14 UTC 2021

Arjun Salyan <arjun at> wrote::

>> On 12-Dec-2021, at 3:27 PM, Joshua Root <jmr at> wrote:
>> Not all ports have installed file information available, but the web app can search the ones that do:
>> <>
> I identified an issue with the way we were updating our search index. That has been fixed and now this page shows 17 ports, instead of 5.

Thanks for fixing! For Log4J only log4j-core-* is relevant, and only shows the ports we already previously identified.

A couple of hours ago was made public, which states that the previous mitigations of upgrading to Log4J 2.15.0 or setting system/environment properties is longer enough. The recommended solution is upgrading to Log4J 2.16.0. If that is not possible, it is recommended to at least remove the JndiLookup class from the log4j-core JAR (e.g. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).


More information about the macports-dev mailing list