[
https://issues.apache.org/jira/browse/CONFIGURATION-854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18032277#comment-18032277
]
Gary D. Gregory commented on CONFIGURATION-854:
-----------------------------------------------
Hello [~barrycsz]
A CVE in a dependency is not the same as a CVE on the importing project, and
doesn't automatically trigger a release. Changing the dependency is easily done
in the consuming application and may be necessary anyway if the dependency
comes in from multiple places.
Releasing is definitely on my todo list but we have other components with bug
fixes that need releases first (Parent, IO, Lang, Compress). Then other
components like Configuration will come after.
HTH
> Version 2.12.1 Missing from Maven Central
> -----------------------------------------
>
> Key: CONFIGURATION-854
> URL: https://issues.apache.org/jira/browse/CONFIGURATION-854
> Project: Commons Configuration
> Issue Type: Bug
> Components: Build
> Affects Versions: 2.12.0
> Reporter: Barry Caceres (Senzing)
> Priority: Major
>
> CVE-2025-48924 was reported against dependency commons-lang3 version 3.17.0
> and this dependency was supposedly fixed in July 2025 according to
> https://issues.apache.org/jira/browse/CONFIGURATION-853
>
> According to the release notes there is a version 2.12.1 that includes this
> fix, but that release has no date assigned to it (it shows YYYY-MM-DD
> placeholder).
> See: [https://commons.apache.org/proper/commons-configuration/changes.html]
> Just need this version 2.12.1 made available on Maven Central.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
