The claimed security issue on apache commons appears to be broken. Possibly they're referring to this: https://news.apache.org/foundation/entry/apache_commons_statement_to_widespread which did not have a CVE
On Sun, Dec 3, 2023 at 4:11 PM Piotr P. Karwasz <[email protected]> wrote: > > Hi Elliotte, > > On Sun, 3 Dec 2023 at 14:13, Elliotte Rusty Harold <[email protected]> wrote: > > > > https://issues.apache.org/jira/projects/VALIDATOR/issues/VALIDATOR-390 > > and https://issues.apache.org/jira/projects/VALIDATOR/issues/VALIDATOR-357 > > are both open dependency upgrades with security implications. If > > they've already been fixed, then please close the issues. > > > > If they haven't been fixed, I vote -1 until they are. Looking at head, > > I think VALIDATOR-357 has been fixed and should be closed, but > > VALIDATOR-390 is still open. > > Looking at the SBOM, the only dependencies (including transitive ones) are: > > * commons-beanutils 1.9.4, > * commons-digester 2.1, > * commons-logging 1.3.0, > * commons-collections 3.3.2. > > None of them have CVEs. > > Piotr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
