[
https://issues.apache.org/jira/browse/OPENNLP-1820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18095869#comment-18095869
]
Eric Pugh commented on OPENNLP-1820:
------------------------------------
Hi all.. Release 1.9.5 backported some fixes for CVE's, however they continue
to show up in the records as affecting 1.9.5. For example, this vulnerability
shows up correctly in Maven:
https://mvnrepository.com/artifact/org.apache.opennlp/opennlp-tools/1.9.4 but
ALSO shows up incorrectly in
https://mvnrepository.com/artifact/org.apache.opennlp/opennlp-tools/1.9.5. I
am unclear how we update the https://www.cve.org/CVERecord?id=CVE-2026-42027
records.
> Restrict ExtensionLoader to allowlisted package prefixes
> --------------------------------------------------------
>
> Key: OPENNLP-1820
> URL: https://issues.apache.org/jira/browse/OPENNLP-1820
> Project: OpenNLP
> Issue Type: Bug
> Affects Versions: 2.5.8, 3.0.0-M1, 3.0.0-M2
> Reporter: Martin Wiesner
> Assignee: Richard Zowalla
> Priority: Minor
> Fix For: 1.9.5, 2.5.9, 3.0.0-M3
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)