Thank you Jerome! For now we will upgrade to v4.5.6 to mitigate the CVE risks while we chart out the plan to move to JDK 11. This will force us to think about moving to JDK 11, which I think is time for us to move.
On Mon, Aug 1, 2022 at 3:31 AM Jérôme LELEU <[email protected]> wrote: > Hi, > > I'm back from vacation. > > Indeed, we now target JDK 11 and encourage people to upgrade. This is pac4j > v5. > This is where we focus our efforts. All new features and security fixes are > done on this branch. > > If you still need JDK 8, pac4j v4 still exists but almost no longer > evolves. > Critical security fixes are still applied on this branch when requested. > > Related to CVE-2021-44878, it has been fixed in pac4j v4.5.6: > https://www.pac4j.org/docs/release-notes.html > So you just need to upgrade to this version which is JDK 8 based. > > Thanks. > Best regards, > Jérôme > > > Le jeu. 28 juil. 2022 à 20:27, larry mccay <[email protected]> a écrit : > > > Hi Jérôme - > > > > Hope you are well! > > > > We have a need to upgrade to a new version of pac4j that > > addresses CVE-2021-44878. > > However, it appears that the version of pac4j with the fix requires Java > > 11 or above. > > > > Can we request a new release with Java 8 support as we are not able to > > drop support for it at this time without broad discussion and community > > agreement. Even then we would need to provide a Knox release with the fix > > backported for those that can't upgrade to 11+. > > > > If we could help with this effort, please let us know. > > > > thanks, > > > > --larry > > > > >
