[ 
https://issues.apache.org/jira/browse/OPENNLP-1820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18095869#comment-18095869
 ] 

Eric Pugh commented on OPENNLP-1820:
------------------------------------

Hi all..   Release 1.9.5 backported some fixes for CVE's, however they continue 
to show up in the records as affecting 1.9.5.   For example, this vulnerability 
shows up correctly in Maven: 
https://mvnrepository.com/artifact/org.apache.opennlp/opennlp-tools/1.9.4 but 
ALSO shows up incorrectly in 
https://mvnrepository.com/artifact/org.apache.opennlp/opennlp-tools/1.9.5.   I 
am unclear how we update the https://www.cve.org/CVERecord?id=CVE-2026-42027 
records.   

> Restrict ExtensionLoader to allowlisted package prefixes
> --------------------------------------------------------
>
>                 Key: OPENNLP-1820
>                 URL: https://issues.apache.org/jira/browse/OPENNLP-1820
>             Project: OpenNLP
>          Issue Type: Bug
>    Affects Versions: 2.5.8, 3.0.0-M1, 3.0.0-M2
>            Reporter: Martin Wiesner
>            Assignee: Richard Zowalla
>            Priority: Minor
>             Fix For: 1.9.5, 2.5.9, 3.0.0-M3
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to