[
https://issues.apache.org/jira/browse/CONFIGURATION-776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18041469#comment-18041469
]
Gary D. Gregory commented on CONFIGURATION-776:
-----------------------------------------------
[~lprimak]
If you are talking about CVE-2019-10086:
- Configuration 2.13.0 depends on BeanUtils 1.11.0, which does not include
BeanUtils CVEs.
- Configuration 2.12.0 depends on BeanUtils 1.10.1, which does not include
BeanUtils CVEs.
- Configuration 2.11.0 depends on BeanUtils 1.9.4, which does not include
BeanUtils CVEs.
- Configuration 2.10.1 depends on BeanUtils 1.9.4, which does not include
BeanUtils CVEs.
- Configuration 2.10.0 depends on BeanUtils 1.9.4, which does not include
BeanUtils CVEs.
- Configuration 2.9.0 depends on BeanUtils 1.9.4, which does not include
BeanUtils CVEs.
- Configuration 2.8.0 depends on BeanUtils 1.9.4, which does not include
BeanUtils CVEs.
- Configuration 2.7 depends on BeanUtils 1.9.4, which does not include
BeanUtils CVEs.
- Configuration 2.6 depends on BeanUtils 1.9.4, which does not include
BeanUtils CVEs.
- Configuration 2.5 depends on BeanUtils 1.9.3, where BeanUtils has
CVE-2019-10086.
[Apache Shiro git master depends on BeanUtils
1.11.0|https://github.com/apache/shiro/blob/8cbc6645de36b6fcee0c246b8e98966fe74bde25/pom.xml#L90].
What's the issue?
> Update Commons BeanUtils from 1.9. to 2.X
> -----------------------------------------
>
> Key: CONFIGURATION-776
> URL: https://issues.apache.org/jira/browse/CONFIGURATION-776
> Project: Commons Configuration
> Issue Type: Task
> Affects Versions: 2.6
> Reporter: Melloware
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Update Apache Commons BeanUtils from 1.9. to 2.X
> BeanUtils 2.X removes its dependency on Commons Collections but does change
> package name to the beanutils2 package.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
