Thanks for the reply Tamas! -----Original Message----- From: Tamás Cservenák <ta...@cservenak.net> Sent: 03 October 2024 21:57 To: Maven Users List <users@maven.apache.org> Cc: Eric Desrochers <edesroch...@microsoft.com>; Maruthi Thotad <maruthi.tho...@microsoft.com>; Archana Choudhary <archa...@microsoft.com>; Sumedh Alok Sharma <sumsha...@microsoft.com>; Lakshmi Satya Sai Sindhu Karri <laka...@microsoft.com> Subject: [EXTERNAL] Re: FW: Requesting fix for CVE-2023-2976 in maven 3.8.x
Howdy, AFAIK it is not. Guava is not part of Maven API (is not exposed to plugins and such) and is not used in Maven at all. The only reason why Guava is present in Maven distro is Guice (as you noted, Guice depends on Guava), but even then, neither Guice (AFAIK, have to emphasize, please check) is not using the vulnerable class in Guava. Guava is contained but is "confined" in Maven. HTH Tamas On Thu, Oct 3, 2024 at 5:45 PM Lakshmi Satya Sai Sindhu Karri <laka...@microsoft.com> wrote: > > Hi Tamas Cservenak, > > > > Could you please confirm if maven-3.8.x is affected by CVE-2023-2976 ? > > > > Regards, > > Sindhu > > From: Lakshmi Satya Sai Sindhu Karri > Sent: 03 October 2024 10:41 > To: users@maven.apache.org > Subject: Requesting fix for CVE-2023-2976 in maven 3.8.x > > > > Hi, > > > > Referring to the discussion in [MNG-7828] Bump guava from 30.1-jre to > 32.0.1-jre by bvolpato · Pull Request #1191 · apache/maven > (github.com) which is a fix for > > NVD - CVE-2023-2976 (nist.gov), maven-3.8.x is still maintained. > > So, Can you confirm if maven-3.8.x is affected by the CVE? Request to provide > a patch if applicable. > > > > Background about the CVE: > > maven-3.8.7 uses guice, which in turn fetches guava-25.1 as a dependency. > Guava-25.1 is vulnerable. A safe guava version is 32.0.1. > > > > Is there any plan to upgrade the guice version in maven-3.8.x so that the > corresponding guava it fetches is safe? > > > > Regards, > > Sindhu
