Hi, I would like to vote for a release of Tuweni. (We use it in our project Besu)
2 CVEs have been brought to my attention, that are present in Tuweni version 2.0.0 but will be fixed in the next version. CVE details: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29582 In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. - Visible here: https://mvnrepository.com/artifact/org.apache.tuweni/tuweni-bytes/2.0.0 - CVE-2020-29582 - CVE-2020-21913 extract from gradle -q dependencies: - `| | | | +--- org.apache.tuweni:tuweni-bytes -> 2.0.0 | | | | | +--- com.google.guava:guava:27.0.1-jre -> 31.0.1-jre | | | | | | +--- com.google.guava:failureaccess:1.0.1 | | | | | | +--- com.google.guava:listenablefuture:9999 .0-empty-to-avoid-conflict-with-guava | | | | | | +--- com.google.code.findbugs:jsr305:3.0.2 | | | | | | +--- org.checkerframework:checker-qual:3.12.0 -> 3.19.0 | | | | | | +--- com.google.errorprone:error_prone_annotations:2.7.1 -> 2.10.0 | | | | | | \--- com.google.j2objc:j2objc-annotations:1.3 | | | | | +--- org.connid:framework:1.3.2 | | | | | +--- org.connid:framework-internal:1.3.2 | | | | | \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.4.20 | | | | | +--- org.jetbrains.kotlin:kotlin-stdlib:1.4.20 -> 1.6.10 | | | | | | +--- org.jetbrains:annotations:13.0 | | | | | | \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.6.10 | | | | | \--- org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.4.20 | | | | | \--- org.jetbrains.kotlin:kotlin-stdlib:1.4.20 -> 1.6.10 (*)` Thanks, Sally
