[
https://issues.apache.org/jira/browse/VALIDATOR-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14279981#comment-14279981
]
Benedikt Ritter commented on VALIDATOR-357:
-------------------------------------------
We couldn't update BeanUtils to 1.9.2, since Validator 1.4.1 had to be
compatible with Java 1.4, but BeanUtils 1.9.x requires Java 5+.
We've updated the Java requirements of Validator to Java 6+ for the upcoming
release 1.5 as well as the dependency to BeanUtils to 1.9.2.
Would it be okay for you if we fix this as invalid?
> Upgrade BeanUtils
> -----------------
>
> Key: VALIDATOR-357
> URL: https://issues.apache.org/jira/browse/VALIDATOR-357
> Project: Commons Validator
> Issue Type: New Feature
> Components: Framework
> Affects Versions: 1.1.3 Release, 1.2.0 Release, 1.3.0 Release, 1.3.1
> Release, 1.4.0 Release, 1.4.1 Release
> Reporter: David Dillard
> Priority: Minor
>
> Validator 1.41 depends on BeanUtils 1.8.3. This has a "potential security
> issue", see
> http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
> Also, see http://www.cvedetails.com/cve-details.php?t=1&cve_id=cve-2014-0114
> Even if this issue doesn't affect Validator, BeanUtils should be upgraded so
> that issue issue doesn't affect other users of BeanUtils given the screwy way
> some builders (e.g. Maven) resolve conflicting dependencies.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
