[
https://issues.apache.org/jira/browse/RANGER-5391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18038528#comment-18038528
]
vishnu k r commented on RANGER-5391:
------------------------------------
[~madhan] , when can we expect these changes to be officially released?
> Migrate from commons-lang 2.6 to commons-lang3 3.19.0 to fix CVE-2025-48924
> ---------------------------------------------------------------------------
>
> Key: RANGER-5391
> URL: https://issues.apache.org/jira/browse/RANGER-5391
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins, Ranger
> Affects Versions: 2.7.0
> Reporter: vishnu k r
> Assignee: vishnu k r
> Priority: Major
> Fix For: 3.0.0, 2.8.0
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> This issue tracks the migration of Apache Ranger from Apache Commons Lang 2.6
> to Commons Lang 3.19.0
> to address CVE-2025-48924.
> The existing dependency `commons-lang:2.6` is affected by CVE-2025-48924,
> which exposes
> potential input handling vulnerabilities. The newer `commons-lang3` library
> (package
> `org.apache.commons.lang3`) is a fully maintained and secure replacement.
> **Proposed Changes:**
> - Remove dependency on `commons-lang:2.6`
> - Add dependency on `commons-lang3:3.19.0`
> - Update all imports from `org.apache.commons.lang.*` to
> `org.apache.commons.lang3.*`
> - Adjust code where API differences exist
> - Validate build and test compatibility
> **Impact:**
> - Fixes CVE-2025-48924
> - Removes usage of deprecated and insecure dependency
> - No functional impact to Ranger features
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
