[
https://issues.apache.org/jira/browse/CONFIGURATION-854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18032275#comment-18032275
]
Barry Caceres (Senzing) commented on CONFIGURATION-854:
-------------------------------------------------------
I just assumed a patch-fix update like 2.12.1 for a critical CVE that was fixed
in July would have been released by October. It is easy to understand that a
feature update like a 2.13.0 can get held up, but I thought this one went out
and something went wrong with the publishing to Maven Central.
Do you know when it will be released? In the mean time, I will add the direct
dependency to `commons-lang3` for the desired version (currently it is a
transitive dependency we pickup from `commons-configuration2`).
> Version 2.12.1 Missing from Maven Central
> -----------------------------------------
>
> Key: CONFIGURATION-854
> URL: https://issues.apache.org/jira/browse/CONFIGURATION-854
> Project: Commons Configuration
> Issue Type: Bug
> Components: Build
> Affects Versions: 2.12.0
> Reporter: Barry Caceres (Senzing)
> Priority: Major
>
> CVE-2025-48924 was reported against dependency commons-lang3 version 3.17.0
> and this dependency was supposedly fixed in July 2025 according to
> https://issues.apache.org/jira/browse/CONFIGURATION-853
>
> According to the release notes there is a version 2.12.1 that includes this
> fix, but that release has no date assigned to it (it shows YYYY-MM-DD
> placeholder).
> See: [https://commons.apache.org/proper/commons-configuration/changes.html]
> Just need this version 2.12.1 made available on Maven Central.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
