robertlazarski merged pull request #127:
URL: https://github.com/apache/axis-axis2-java-core/pull/127
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
U
Xmlbeans 3.0.1 passed the unit tests, so I made the commit.
I believe what happened here is that we rejected the Dependabot pull
request to 4.x because it wouldn't build, so we missed the 3.x upgrade
which at least solves the CVE.
Regards,
Robert
On Fri, Mar 12, 2021 at 2:40 AM Andrew Marlow
wr
Hello everyone,
The soon to be released axis2 version 1.8.0 depends on xmlbeans 2.6.0 which
is exposed to CVE-2021-23926, which is ranked by NIST as 9.1 critical.
Can't we move to version 3.0.1? I tried that and it all built ok. I also
tried version 4.0.0 but that had problems due to API changes.
