[
https://issues.apache.org/jira/browse/FILEUPLOAD-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17887996#comment-17887996
]
Didier Loiseau commented on FILEUPLOAD-357:
-------------------------------------------
Yes, we need to assess options. It’s just that things are easier if you don’t
have to manage versions of transitive dependencies (especially since dependency
management in transitive dependencies is not applied in Maven <4, so it must be
dealt with by end-users or an explicit dependency must be added in libraries).
> Backport commons-io upgrade in 1.x for CVE-2024-47554
> -----------------------------------------------------
>
> Key: FILEUPLOAD-357
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-357
> Project: Commons FileUpload
> Issue Type: Bug
> Affects Versions: 1.5
> Reporter: Didier Loiseau
> Priority: Major
>
> Would it be possible to release a new version of commons-fileupload 1.x that
> depends on the fixed commons-io (2.14+) for
> [CVE-2024-47554|https://nvd.nist.gov/vuln/detail/CVE-2024-47554]?
> Note that there does not seem to be a “patch” release of commons-io with the
> fix, only minor releases. Maybe commons-io should publish a patch for release
> 2.11, in order to publish a commons-fileupload 2.15.1 with the fix?
> p.s. it seems version 1.5 hasn’t been marked as released in Jira
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
