Hi Gary, Thanks for your mail.
In almost all versions of our Product we have upgraded commons-io to v2.11.0 which is latest. We have couple of old versions of our product where we still support Java7 and here we need CVE-2021-29425 to be fixed in commons-io. We can see that commons-io<https://commons.apache.org/proper/commons-io/> v2.6 is the last release which is based on Java7. We would like to do the below and need your little help here: We would like to download commons-io v2.6 source<https://archive.apache.org/dist/commons/io/source/> and apply CVE-2021-29425 changes to it and build (using java7) the library ourselves and use it. Before using it we have an official process to get approvals to use it which we will be doing. Normally we follow this process to libraries for which we use and if there is no official release for more than 2 years. In such cases, we absorb the source of that library, maintain it and fix any of the CVE’s reported in it and use. Can we get the github link for changes to CVE-2021-29425? Preferably from v2.7 branch so that it will be easy for us to port the changes to v2.6 for our usage. Is this possible? Thanks and Regards, Ravi. From: Gary Gregory [mailto:garydgreg...@gmail.com] Sent: Monday, December 13, 2021 5:47 PM To: Commons Users List <user@commons.apache.org> Cc: Ravi Yelamarthy <ravi.yelamar...@oracle.com> Subject: [External] : Re: [io] Regarding CVE-2021-29425: APACHE COMMONS IO UPDATE Hello Surendra, You will need to update to Commons IO 2.7 or later, the current version is 2.11.0. Commons IO 2.4 is based on Java 6, see https://commons.apache.org/proper/commons-io/<https://urldefense.com/v3/__https:/commons.apache.org/proper/commons-io/__;!!ACWV5N9M2RV99hQ!ZLk678UoSfblFzvZBfqrtqkmPDMY_fwHd7Mz0TRKT3B2GN1t1lky3GkH2HOyuDdD474x$> for which version requires which Java version. There is no currently planned support for old versions of Commons IO based on Java 6 or 7. Gary On Mon, Dec 13, 2021 at 6:08 AM Surendra Pulukuri <surendra.puluk...@oracle.com<mailto:surendra.puluk...@oracle.com>> wrote: Hi Team, As per this security vulnerability CVE-2021-29425, we are using commons-io v2.4 as a 3rd party application in our code base (Java1.7 compatible), to move to latest version of commons-io where the security vulnerability CVE-2021-29425 has fixed starting from v2.7 OR v2.11.0 both are Java 1.8 compatible. Is there any way to use v2.6(the final version commons-io which is compatible with Java 1.7) with security vulnerability CVE-2021-29425 in it? Or is there any plans to make security vulnerability CVE-2021-29425 fix on commons-io v2.6? Please guide us. This is blocking our patch to customers. Thanks, Surendra
