On Thu, Oct 20, 2022 at 01:55:05AM -0700, [email protected] wrote: > There has been discovered a vulnerability affecting versions 1.5 to 1.9 of > Apache Commons Text: > https://nvd.nist.gov/vuln/detail/CVE-2022-42889 > > I've seen DSpace 7 uses the 1.9 version of this library: > https://github.com/DSpace/DSpace/blob/main/dspace-api/pom.xml#L850 > > It is recommended to update to 1.10, but I haven't tested it yet myself. > Just wanted to make sure everyone who is using DSpace 7 in production is > aware of this.
Thank you for passing the word. This was noted yesterday, and a patch exists: https://github.com/DSpace/DSpace/pull/8537 So far, analysis of the use of Commons Text in DSpace sugggests that DSpace is not vulnerable to this particular issue, but the developers are watching carefully for further developments. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/Y1E2ryFJYqQr7zhJ%40IUPUI.Edu.
signature.asc
Description: PGP signature
