> On May 25, 2019, at 3:15 PM, Matt Sicker <boa...@gmail.com> wrote:
>
> Hi, I've gone ahead and approved it after review. Since I'm not active
> in beanutils, I'd prefer someone else to either merge it or add an
> approval review first. My company has also been moving toward
> eliminating vulnerable versions of dependencies, and we use beanutils
> (1.9.x currently) in some limited fashion.
Will put eyes on this in the next 24 hours. -Rob
>
>> On Thu, 23 May 2019 at 06:29, Melloware Inc <melloware...@gmail.com> wrote:
>>
>> Hey All!,
>>
>> First time contributor here. My company has a corporate goal to only use
>> open source libraries with NO open Security CVE's marked as critical.
>>
>> BeanUtils has CVE-2014-0114 marked as critical so I opened a ticket:
>> https://issues.apache.org/jira/browse/BEANUTILS-520
>>
>> I submitted my first Apache Commons PR which addresses the issue which I
>> was hoping I could get code reviewed and hopefully merged. I followed all
>> guidelines and included a specific unit test to prove the issue and the fix.
>>
>> Pull Request: https://github.com/apache/commons-beanutils/pull/7
>>
>> I really feel like this is an important fix to have security on by default
>> and still allow the ability to opt-out and make it backwards compatible. I
>> hope the Apache community feels the same way!
>>
>> Thanks,
>> Melloware
>
>
>
> --
> Matt Sicker <boa...@gmail.com>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
