Thanks for the response, @Jérôme LELEU <[email protected]>! I missed this email, likely due to my vacation. :)
On Tue, Aug 2, 2022 at 6:46 AM Sandeep Moré <[email protected]> wrote: > Thank you Jerome! > For now we will upgrade to v4.5.6 to mitigate the CVE risks while we > chart out the plan to move to JDK 11. > This will force us to think about moving to JDK 11, which I think is time > for us to move. > > > > On Mon, Aug 1, 2022 at 3:31 AM Jérôme LELEU <[email protected]> wrote: > >> Hi, >> >> I'm back from vacation. >> >> Indeed, we now target JDK 11 and encourage people to upgrade. This is >> pac4j >> v5. >> This is where we focus our efforts. All new features and security fixes >> are >> done on this branch. >> >> If you still need JDK 8, pac4j v4 still exists but almost no longer >> evolves. >> Critical security fixes are still applied on this branch when requested. >> >> Related to CVE-2021-44878, it has been fixed in pac4j v4.5.6: >> https://www.pac4j.org/docs/release-notes.html >> So you just need to upgrade to this version which is JDK 8 based. >> >> Thanks. >> Best regards, >> Jérôme >> >> >> Le jeu. 28 juil. 2022 à 20:27, larry mccay <[email protected]> a écrit : >> >> > Hi Jérôme - >> > >> > Hope you are well! >> > >> > We have a need to upgrade to a new version of pac4j that >> > addresses CVE-2021-44878. >> > However, it appears that the version of pac4j with the fix requires Java >> > 11 or above. >> > >> > Can we request a new release with Java 8 support as we are not able to >> > drop support for it at this time without broad discussion and community >> > agreement. Even then we would need to provide a Knox release with the >> fix >> > backported for those that can't upgrade to 11+. >> > >> > If we could help with this effort, please let us know. >> > >> > thanks, >> > >> > --larry >> > >> > >> >
