Howdy, Maven carries (does not use) guava 31.1 as dependency of guice. No code (including Guice) uses the CVE affected File related classes. Also, guava is NOT exposed to plugins either. Hence, I think we are fine.
HTH Tamas On Fri, Jun 23, 2023 at 3:55 PM Elliotte Rusty Harold <elh...@ibiblio.org> wrote: > There seems to be a recent security fix in Guava in 32.0.0 which broke > other things, so 32.0.1 is recommended. I'm not sure if any of this > affects Maven, but it's probably good to get this in. > > On Fri, Jun 23, 2023 at 9:34 AM Tamás Cservenák <ta...@cservenak.net> > wrote: > > > > Howdy, > > > > We solved 22 issues: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922&version=12353255 > > > > There are still a couple of issues left in JIRA: > > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20resolution%20%3D%20Unresolved > > > > Staging repo: > > https://repository.apache.org/content/repositories/maven-1968/ > > > > Dev dist directory: > > https://dist.apache.org/repos/dist/dev/maven/maven-3/3.9.3/ > > > > Source release checksums: > > apache-maven-3.9.3-src.zip sha512: > > > a56a9e47e70ba8e3e83ff627b76a712c7b5bda59245d23bcbc541b2358b859f699d4916b7e715c45a5c336676b8b2ab0ab472dffc045ae4db635b21f7ddcc0c2 > > apache-maven-3.9.3-src.tar.gz sha512: > > > 5511b20c36fd09a8ba7260bfa78d29bb683a04828c56e93d176768eb61cb07ab91f29db745460ce9784c84561f359497158f4c800142716d3e590ac2c333e8fb > > > > Binary release checksums: > > apache-maven-3.9.3-bin.zip sha512: > > > fba80f4bb0429052d558959b1bfbc99984f8cb8ff59a53baae0a0874b71a2601e2805c5e557b7b59d81716a0b4b35d1b2eeccb566c40b23cc575331a4984ef6c > > apache-maven-3.9.3-bin.tar.gz sha512: > > > 400fc5b6d000c158d5ee7937543faa06b6bda8408caa2444a9c947c21472fde0f0b64ac452b8cec8855d528c0335522ed5b6c8f77085811c7e29e1bedbb5daa2 > > > > Staged site: > > https://maven.apache.org/ref/3-LATEST/ > > > > Draft for release notes: > > https://github.com/apache/maven-site/pull/424 > > > > Guide to testing staged releases: > > http://maven.apache.org/guides/development/guide-testing-releases.html > > > > Vote open for 72h > > > > [ ] +1 > > [ ] +0 > > [ ] -1 > > > > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
