May make sense to upgrade to commons collections 4? It was just updated in the LDAP API, server, and studio. However because of Mavibot also version 3 is still required in server an studio. I'll give it a try.
On 1/4/19 12:40 PM, Emmanuel Lécharny wrote: > Hi Colm, > > I doubt Mavibot is going to be hit by this CVE, but we can upgrade and > cut a release if needed. > > > Give me a bit of time to double check. > > > On 04/01/2019 11:17, Colm O hEigeartaigh wrote: >> Hi all, >> >> I'm wondering if there are any plans to get another Mavibot release >> out? It still depends on Commons Collections 3.2.1 (I upgraded it in >> 2016 - >> https://github.com/apache/directory-mavibot/commit/5f5fa0f5e9a95be45a004a4d137f9a29a9f7991d#diff-600376dffeb79835ede4a0b285078036), >> which has a deserialization CVE associated with it. Maybe we could get >> another release out even if it just contains this fix to avoid >> bundling a vulnerable library? >> >> Colm. >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com
