niedz., 3 paź 2021 o 11:16 i...@flyingfischer.ch <i...@flyingfischer.ch> napisał(a): > > Hi Łukasz > > any reason why we cannot use XStream 1.4.18 instead of version version > 1.4.16? > > There seem to be a bunch of recent CVEs fixed in 1.4.18, released on the > August 22, 2021 > > http://x-stream.github.io/ > > As far as I can see, it still supports Java 7. Only the next major > release 1.5 will require Java 8. However, we should upgrade Struts to > Java 8 anyway.
The problem is that it's not a drop-in replacement, the OVal plugin needs to be upgraded as well [1]. I mean, you can replace XStream on your own if you do not use the OVal plugin. I have some concerns introducing such changes into 2.5.x as behaviour has slightly changed. [1] https://github.com/apache/struts/pull/499 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
