Thanks, Emmanuel, for stating which parts of Apache Commons Text are used by the LDAP API. It does sound unaffected, but great that a new version will be produced to avoid false positives from scanners etc.
On Fri, Oct 28, 2022 at 7:14 AM Emmanuel Lécharny <[email protected]> wrote: > > Hi! > > for the record, we just use one single function of Apache commons-text, > the StringEscapeUtils() method, which is not impacted by the CVE AFAICT, > so I think we are safe. > > However, for clarity, and also to avoid the LDAP API being flagged as > dubious by systems that look up at vulnerable third party libraries, we > should certainly cut a new version with an updated commons-text version. > > I will work on it ASAP. > > Thanks ! > > On 2022/10/27 10:30, Travis Spencer wrote: > > Good morning, all. > > > > org.apache.directory.api:api-all depends on Apache text-commons > > version 1.9 which has a CVE with a score of 9.8. Is there an update in > > the works that uses a non-vulnerable version of text-commons? I didn't > > find an issue in Jia. > > > > Also, is the usage of the LDAP client susceptible to the issue? > > > > The CVE is CVE-2022-42889. > > > > -- > > > > TIA! > > > > Travis Spencer > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > -- > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE > T. +33 (0)4 89 97 36 50 > P. +33 (0)6 08 33 32 61 > [email protected] https://www.busit.com/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
