On 2021-12-12 20:02 , Nils Breunese wrote:
It could be the case the MacPorts has ports for Java-based applications that include a vulnerable version of the Log4J library. A port that includes a file called log4j-$version.jar with $version in the range 2.0.0-2.14.1 could be vulnerable. This file could also be ‘hidden’ inside a compressed archive, like a .war file (basically a zip file). I’m not sure how we could check all ports for this without installing all of them.
Not all ports have installed file information available, but the web app can search the ones that do:
<https://ports.macports.org/search/?installed_file=log4j&q=> - Josh
