Fortress core also uses this lib, have just upgraded, release in a couple of weeks.
> On Jan 4, 2019, at 5:40 AM, Emmanuel Lécharny <[email protected]> wrote: > > Hi Colm, > > I doubt Mavibot is going to be hit by this CVE, but we can upgrade and cut a > release if needed. > > > Give me a bit of time to double check. > > > On 04/01/2019 11:17, Colm O hEigeartaigh wrote: >> Hi all, >> >> I'm wondering if there are any plans to get another Mavibot release out? It >> still depends on Commons Collections 3.2.1 (I upgraded it in 2016 - >> https://github.com/apache/directory-mavibot/commit/5f5fa0f5e9a95be45a004a4d137f9a29a9f7991d#diff-600376dffeb79835ede4a0b285078036), >> which has a deserialization CVE associated with it. Maybe we could get >> another release out even if it just contains this fix to avoid bundling a >> vulnerable library? >> >> Colm. >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com
