[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17746638#comment-17746638 ] ASF GitHub Bot commented on MNG-7828: - cstamas commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1648559780 Please use ML https://maven.apache.org/mailing-lists.html for communication. > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Assignee: Guillaume Nodet >Priority: Major > Fix For: 3.9.4, 4.0.0-alpha-8 > > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17746633#comment-17746633 ] ASF GitHub Bot commented on MNG-7828: - cstamas commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1648541127 AFAIK Maven is not affected by CVE you refer to. And no, 3.8.x is not excluded from reported vulnerability patches. > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Assignee: Guillaume Nodet >Priority: Major > Fix For: 3.9.4, 4.0.0-alpha-8 > > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17746632#comment-17746632 ] ASF GitHub Bot commented on MNG-7828: - ywluogg commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1648535921 > Which Maven vulnerability you talk about specifically? For requesting vulnerability patch in 3.8.X, I think I'm asking [CVE-2023-2976](https://github.com/advisories/GHSA-7g45-4rm6-3mm3). But I wanted to know if 3.8.X is generally considered being excluded from vulnerability patches? > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Assignee: Guillaume Nodet >Priority: Major > Fix For: 3.9.4, 4.0.0-alpha-8 > > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17746628#comment-17746628 ] ASF GitHub Bot commented on MNG-7828: - cstamas commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1648528291 Which Maven vulnerability you talk about specifically? > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Assignee: Guillaume Nodet >Priority: Major > Fix For: 3.9.4, 4.0.0-alpha-8 > > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17746623#comment-17746623 ] ASF GitHub Bot commented on MNG-7828: - ywluogg commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1648512863 They are internal customers that I can't share their private customized plugins source code. Should we consider 3.8.X is in general out of scope for vulnerability patches? > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Assignee: Guillaume Nodet >Priority: Major > Fix For: 3.9.4, 4.0.0-alpha-8 > > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17746620#comment-17746620 ] ASF GitHub Bot commented on MNG-7828: - slachiewicz commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1648505273 not at this moment. Can You share more details (maybe links to bug reports to plugins repos?) about what issues Your projects have with Maven 3.9. This is active maintenance line of Maven. > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Assignee: Guillaume Nodet >Priority: Major > Fix For: 3.9.4, 4.0.0-alpha-8 > > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17746606#comment-17746606 ] ASF GitHub Bot commented on MNG-7828: - ywluogg commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1648455314 Hi Maven team, I'm curious to see if Maven still considering doing patch for 3.8.X? We have customers that need to use 3.8.X since they have multiple repos with plugins that only work in 3.8.X. > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Assignee: Guillaume Nodet >Priority: Major > Fix For: 3.9.4, 4.0.0-alpha-8 > > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17744683#comment-17744683 ] ASF GitHub Bot commented on MNG-7828: - cstamas commented on PR #1189: URL: https://github.com/apache/maven/pull/1189#issuecomment-1642307816 Current plan: * release resolver 1.9.14 https://issues.apache.org/jira/issues/?jql=project%20%3D%20MRESOLVER%20AND%20fixVersion%20%3D%201.9.14 * after that release Maven 3.9.4 https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20fixVersion%20%3D%203.9.4 ASF vote process is 72h, so this above is 72+72h and will start my next (European) morning most probably > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Assignee: Guillaume Nodet >Priority: Major > Fix For: 3.9.4, 4.0.0-alpha-8 > > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17744655#comment-17744655 ] ASF GitHub Bot commented on MNG-7828: - dimon222 commented on PR #1189: URL: https://github.com/apache/maven/pull/1189#issuecomment-1642232588 Any approximation when will 3.9.4 arrive with this patch? CVE is really holding. > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Assignee: Guillaume Nodet >Priority: Major > Fix For: 3.9.4, 4.0.0-alpha-8 > > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17742041#comment-17742041 ] ASF GitHub Bot commented on MNG-7828: - gnodet merged PR #1189: URL: https://github.com/apache/maven/pull/1189 > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17742040#comment-17742040 ] ASF GitHub Bot commented on MNG-7828: - gnodet merged PR #1191: URL: https://github.com/apache/maven/pull/1191 > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17740399#comment-17740399 ] ASF GitHub Bot commented on MNG-7828: - bvolpato commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1622980405 Can a committer merge this PR? Thanks! > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17740398#comment-17740398 ] ASF GitHub Bot commented on MNG-7828: - bvolpato commented on PR #1189: URL: https://github.com/apache/maven/pull/1189#issuecomment-1622980343 Can a committer merge this PR? Thanks! > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17740334#comment-17740334 ] ASF GitHub Bot commented on MNG-7828: - ywluogg commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1622599921 Ah it seems like Guice has done the fix upstream: https://github.com/google/guice/commit/331e484c77dd121ffa21831c057f51735d967022 > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17740274#comment-17740274 ] ASF GitHub Bot commented on MNG-7828: - ywluogg commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1622074257 > I looked into it, but it's not very straightforward like the bump of `` here. In `3.8.x`, Guava comes transitively from Guice. Thanks for this detail! > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17740166#comment-17740166 ] ASF GitHub Bot commented on MNG-7828: - bvolpato commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1621608212 I looked into it, but it's not very straightforward like the bump of `` here. In `3.8.x`, Guava comes transitively from Guice. > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17739985#comment-17739985 ] ASF GitHub Bot commented on MNG-7828: - ywluogg commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1620707074 I'm supporting some images built for Maven for some customers, and they still need 3.8.X, but we are requested to do a vulnerability patch for this. > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17738808#comment-17738808 ] ASF GitHub Bot commented on MNG-7828: - cstamas commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1613888356 Maven 3.8.x release will happen if someone comes up with some blocker bug, which i doubt. And I am curious, why not moving to 3.9.x line? > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17738751#comment-17738751 ] ASF GitHub Bot commented on MNG-7828: - ywluogg commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1613684600 I'm curious are there plans to bump this in 3.8.X? > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17738187#comment-17738187 ] ASF GitHub Bot commented on MNG-7828: - bvolpato commented on PR #1191: URL: https://github.com/apache/maven/pull/1191#issuecomment-1611690589 R: @cstamas > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17738116#comment-17738116 ] ASF GitHub Bot commented on MNG-7828: - bvolpato commented on PR #1189: URL: https://github.com/apache/maven/pull/1189#issuecomment-1611407336 Thanks! https://github.com/apache/maven/pull/1191 for master > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7828) Bump guava from 31.1-jre to 32.0.1-jre
[ https://issues.apache.org/jira/browse/MNG-7828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17738024#comment-17738024 ] ASF GitHub Bot commented on MNG-7828: - cstamas commented on PR #1189: URL: https://github.com/apache/maven/pull/1189#issuecomment-1611048094 Similar change will be needed for master branch as well. > Bump guava from 31.1-jre to 32.0.1-jre > -- > > Key: MNG-7828 > URL: https://issues.apache.org/jira/browse/MNG-7828 > Project: Maven > Issue Type: Dependency upgrade >Affects Versions: 3.9.x-candidate, 4.0.x-candidate >Reporter: Bruno Candido Volpato da Cunha >Priority: Major > > Currently used version is in the range of CVE-2023-2976, which was fixed in > 32.0.0. > > Please check [https://osv.dev/vulnerability/GHSA-7g45-4rm6-3mm3] for more > information. -- This message was sent by Atlassian Jira (v8.20.10#820010)