On Thu, Nov 13, 2025 at 2:23 PM Emmanuel Bourg <[email protected]> wrote:
> On 13/11/2025 18:12, Vladimir Sitnikov wrote: > >> That would probably be a waste of time since neither json-lib 2.3 nor > >> ezmorph 1.0.6 use the ClassUtils class affected by the CVE: > > > > See, GitHub nags me about "your dependencies have CVE". > > I am sure I am not the only one who still has commons-lang via transitive > > dependency. > > > I am sure the actual ClassUtil usage is minimal, however, I do not want > to > > have vulnerable classes on the classpath. > > It's not minimal, it's exactly zero in your case. And you don't even use > it in your application since it's just the staging plugin of your build > file. > > > > Frankly, the policy of "not providing a fix for CVE" does not sound right > > to me. > > Commons Lang 2.6 is 14 years old. Maintaining it indefinitely for free > doesn't sound right to me. > I agree with the sentiment here, but I also understand Vladmir's position. We should formally EOL lang2 (and *many* other n-k versions of Commons components) unless we are willing to backport security fixes. While the one dependency trace he posted may not be "real" and 99% of others may "miss" the CVE, it is not practical for users to validate these things and build tools are going to kick them out. I will start another thread on the general topic, but I think we should provide a backport patch for this. I have not pushed a release in a while, but I will rely on Gary's kind help to get this done assuming others are amenable. See other thread for the general topic. Phil > > Emmanuel Bourg > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
