Any ports use log4j 2?

Perry Lee perry at macports.org
Sat Dec 11 19:27:20 UTC 2021


On Sat, Dec 11, 2021, at 10:34 AM, Ryan Schmidt wrote:
> On Dec 11, 2021, at 11:24, Richard L. Hamilton wrote:
>
>> CVE-2021-44228 sounds kinda scary!
>
> We appear to have a jakarta-log4j port but it is version 1.x, not 2.

Log4j 1.x isn't affected by that CVE [1], though there is a vulnerability that depends on configuration, not user input [2].

[1] https://github.com/apache/logging-log4j2/pull/608#issuecomment-991387493
[2] https://github.com/apache/logging-log4j2/pull/608#issuecomment-991730650


More information about the macports-users mailing list