Hi, I'm back from vacation.
Indeed, we now target JDK 11 and encourage people to upgrade. This is pac4j v5. This is where we focus our efforts. All new features and security fixes are done on this branch. If you still need JDK 8, pac4j v4 still exists but almost no longer evolves. Critical security fixes are still applied on this branch when requested. Related to CVE-2021-44878, it has been fixed in pac4j v4.5.6: https://www.pac4j.org/docs/release-notes.html So you just need to upgrade to this version which is JDK 8 based. Thanks. Best regards, Jérôme Le jeu. 28 juil. 2022 à 20:27, larry mccay <[email protected]> a écrit : > Hi Jérôme - > > Hope you are well! > > We have a need to upgrade to a new version of pac4j that > addresses CVE-2021-44878. > However, it appears that the version of pac4j with the fix requires Java > 11 or above. > > Can we request a new release with Java 8 support as we are not able to > drop support for it at this time without broad discussion and community > agreement. Even then we would need to provide a Knox release with the fix > backported for those that can't upgrade to 11+. > > If we could help with this effort, please let us know. > > thanks, > > --larry > >
