Hi all, There has been discovered a vulnerability affecting versions 1.5 to 1.9 of Apache Commons Text: https://nvd.nist.gov/vuln/detail/CVE-2022-42889
I've seen DSpace 7 uses the 1.9 version of this library: https://github.com/DSpace/DSpace/blob/main/dspace-api/pom.xml#L850 It is recommended to update to 1.10, but I haven't tested it yet myself. Just wanted to make sure everyone who is using DSpace 7 in production is aware of this. Regards, Oriol PS: Here are some more links about the vulnerability https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/ https://www.securityweek.com/critical-apache-commons-text-flaw-compared-log4shell-not-widespread https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/ -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/c8d805bc-3bf7-4cc4-a1ab-a2ea0a7da97en%40googlegroups.com.
