On Thu, Nov 13, 2025 at 10:14 AM Vladimir Sitnikov < [email protected]> wrote:
> >That would probably be a waste of time since neither json-lib 2.3 nor > >ezmorph 1.0.6 use the ClassUtils class affected by the CVE: > > See, GitHub nags me about "your dependencies have CVE". > I am sure I am not the only one who still has commons-lang via transitive > dependency. > > I am sure the actual ClassUtil usage is minimal, however, I do not want to > have vulnerable > classes on the classpath. > > Frankly, the policy of "not providing a fix for CVE" does not sound right > to me. > Can you please submit this as a PR using the LANG_2_X branch? That is where we need to work to create a 2_X RC. > > I've prepared a fix: > > https://github.com/apache/commons-lang/compare/LANG_2_6...vlsi:commons-lang:lang-2.6-CVE-2025-48924?expand=1 thx, Phil > > > >How about using the > >current io.codearte.gradle.nexus:gradle-nexus-staging-plugin 0.30.0 > > It might work, however having a clear way to avoid CVE would help consumers > while they remove -lang:2 from their code. > > Vladimir >
