Hi all, There has been discovered a vulnerability affecting versions 1.5 to 1.9 of Apache Commons Text: https://nvd.nist.gov/vuln/detail/CVE-2022-42889
I've seen DSpace 7 uses the 1.9 version of this library: https://github.com/DSpace/DSpace/blob/main/dspace-api/pom.xml#L850 It is recommended to update to 1.10, but I haven't tested it yet myself. Just wanted to make sure everyone who is using DSpace 7 in production is aware of this. Regards, Oriol PS: Here are some more links about the vulnerability https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/ https://www.securityweek.com/critical-apache-commons-text-flaw-compared-log4shell-not-widespread https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/ -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/ce4d5055-d84d-4661-8adf-1d13c5164c73n%40googlegroups.com.
