Hi!
for the record, we just use one single function of Apache commons-text,
the StringEscapeUtils() method, which is not impacted by the CVE AFAICT,
so I think we are safe.
However, for clarity, and also to avoid the LDAP API being flagged as
dubious by systems that look up at vulnerable third party libraries, we
should certainly cut a new version with an updated commons-text version.
I will work on it ASAP.
Thanks !
On 2022/10/27 10:30, Travis Spencer wrote:
Good morning, all.
org.apache.directory.api:api-all depends on Apache text-commons
version 1.9 which has a CVE with a score of 9.8. Is there an update in
the works that uses a non-vulnerable version of text-commons? I didn't
find an issue in Jia.
Also, is the usage of the LDAP client susceptible to the issue?
The CVE is CVE-2022-42889.
--
TIA!
Travis Spencer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
[email protected] https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
