RyanSkraba commented on pull request #919: URL: https://github.com/apache/avro/pull/919#issuecomment-646633912
@iemejia What do you think -- is this CVE a reason to wait for 1.10.0 RC2 ? On the one hand, the plexus-util jar with the vulnerability will only be on the machine *building* avro specific records, and XML injection could only be done from the pom.xml sitting _right there_ in front of the user running maven... ... on the other hand, a lot of build machines are CI (jenkins) and automatic/expensive shared resources. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
