Here is the CVE I was talking about, just found it again. It was in 1.9.19:
https://github.com/eclipse-aspectj/aspectj/issues/192 -- Alexander Kriegisch https://scrum-master.de Alexander Kriegisch via aspectj-users schrieb am 01.05.2024 um 10:46: > Yes, 1.8.14 was unusual. That was before UI was an AspectJ > committer, though. > > Concerning the hypothetical CVE report, let us walk through that door > if and when we stand in front of it. It always depends on the > circumstances, but actually I see no reason why Java 8 users should > not use e.g. 1.9.22. Installing an extra JDK on the build machine > and pointing to that during compile-time weaving is not rocket > science and in no way impedes you in using the compile results on > Java 8. Besides, many bugs and even one CVE I personally remember > were fixed in more recent versions, i.e. it might be beneficial even > for legacy projects to recompile and use more recent AspectJ > dependencies. > > It should be super easy to upgrade. Have you tried? > > > Mclachlan, Alan via aspectj-users schrieb am 30.04.2024 um 15:02: > >> 1.8.14 must have been unusual then, because I did see it released >> after the 1.9.xx branch was in progress. >> >> For a team on 1.8.x facing a hypothetical CVE report, how hard is >> the upgrade to 1.9.22 likely to be? Sounds like a Java build time >> version upgrade may be needed. >> >> >> From: Alexander Kriegisch >> >>> Thanks for your inquiry. >>> >>> AspectJ generally does not release updates for older versions. >>> Usually, more recent versions are backward compatible. E.g., you >>> can use the current 1.9.22 to compile with 1.8 source/target or >>> use LTW on Java 8. Only in your build environment when using AJC >>> directly or aspectjtools.jar via Maven oder Gradle plugin, you >>> would need Java 17, because the upstream Eclipse compiler >>> requires it. >>> >>> >>> Mclachlan, Alan via aspectj-users schrieb am 30.04.2024 um >>> 13:13: >>> >>>> I read up on the supported Java versions situation on the >>>> github issue tracker. I have some related questions around the >>>> v1.8.x line: >>>> >>>> 1. Is the project still releasing fixes on the 1.8.x line, at >>>> least while Java 8 is still in support? I ask because I think >>>> the last one was 1.8.14 in 2019. Say a CVE shows up, would you >>>> be likely to release a 1.8.15 with a fix? >>>> >>>> 2. Are the 1.8.x minor releases compatible, in the >>>> semantic-versioning sense of the word? i.e would a hypothetical >>>> 1.8.15 be a drop-in replacement? I ask because this project >>>> doesn't explicitly follow semantic versioning, although I >>>> suspect it may have back in the 1.8 days? >>>> >>>> Apologies if these are answered elsewhere, if so I didn't >>>> manage to find them on the website. >>>> >>>> The context of my ask is OWASP A06 analysis of our SBOM, not to >>>> motivate for any project action. _______________________________________________ aspectj-users mailing list aspectj-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/aspectj-users