Hi Łukasz, Thanks a lot for your answer.
Unfortunately we have not the option to easily update to the new artifacts. As we get Velocity 1.7 as a transitive dependency. Even if we exclude the old 1.7 version and add the 2.3 version we expect problems based on the behaviour and API changes mentioned [1]. Hence, we try to understand if Velocity 1.7 is affected by the CVE-2020-13959 vulnerability. At least currently it looks like it is affected, as the 2.x and 1.x has the same codebase (as far as I understand). Kind Regards, Michael [1]: http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-17-to-velocity-20 > On 18. Mar 2021, at 07:04, Lukasz Lenart <lukaszlen...@apache.org> wrote: > > czw., 18 mar 2021 o 05:48 Bolz, Michael <michael.b...@sap.com> napisał(a): >> I try to find out if this CVE-2020-13959 also affect the older Velocity 1.7 >> version. >> >>> <groupId>org.apache.velocity</groupId> >>> <artifactId>velocity</artifactId> >>> <version>1.7</version> >> >> As we are using dependencies which require this old Velocity version. >> Unfortunately the CVE description on NVD is not clear about this. >> Furthermore I tried to check it by myself based on the GitHub repo, but was >> not successful. >> >> It would be very kind if someone could help me. > > Artifacts and GroupIDs have changed sometime ago, see [1][2][3], so > you must migrate to the new Artifacts are there some code changes that > need to be applied (if you have a by-code integration) > > Before > [1] https://github.com/apache/struts/blob/struts-2-5-x/pom.xml#L659-L685 > Now > [2] https://github.com/apache/struts/blob/master/pom.xml#L732-L749 > Migration > [3] https://github.com/apache/struts/pull/394 > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org > For additional commands, e-mail: user-h...@velocity.apache.org >
