tuxji commented on pull request #699: URL: https://github.com/apache/daffodil/pull/699#issuecomment-995089953
> I'm still confused. I thought 2.6.0.1 was supposed to have just a single change for the CVE. But according to the tag on github, there's a bunch of changes: > > [hunterhacker/[email protected]](https://github.com/hunterhacker/jdom/compare/JDOM-2.0.6...JDOM-2.0.6.1) > > Maybe this is fine, but the history of this release still not clear to me. Jason Hunter (he current JDOM maintainer) built this jdom-2.0.6.1 jar himself rather than using the jdom-2.0.6.1 jar built by someone who forked the repository. He asked JDOM users to test the jar and also figured out how to upload the jar to Sonatype so that it would be picked up by Maven Central. The jar and its tagged branch are legitimate, even though the tagged branch has more changes than just the single change for the CVE. I agree that the release's contents and history isn't very clear, though. Let's go ahead and merge this change in, though, so Daffodil won't have an open CVE. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
