Arjun Salyan <[email protected]> wrote:: >> On 12-Dec-2021, at 3:27 PM, Joshua Root <[email protected]> wrote: >> >> Not all ports have installed file information available, but the web app can >> search the ones that do: >> >> <https://ports.macports.org/search/?installed_file=log4j&q=> > > I identified an issue with the way we were updating our search index. That > has been fixed and now this page shows 17 ports, instead of 5.
Thanks for fixing! For Log4J only log4j-core-* is relevant, and https://ports.macports.org/search/?installed_file=log4j-core&q= only shows the ports we already previously identified. A couple of hours ago https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 was made public, which states that the previous mitigations of upgrading to Log4J 2.15.0 or setting system/environment properties is longer enough. The recommended solution is upgrading to Log4J 2.16.0. If that is not possible, it is recommended to at least remove the JndiLookup class from the log4j-core JAR (e.g. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Nils.
