Xmlbeans 3.0.1 passed the unit tests, so I made the commit. I believe what happened here is that we rejected the Dependabot pull request to 4.x because it wouldn't build, so we missed the 3.x upgrade which at least solves the CVE.
Regards, Robert On Fri, Mar 12, 2021 at 2:40 AM Andrew Marlow <marlow.age...@gmail.com> wrote: > Hello everyone, > > The soon to be released axis2 version 1.8.0 depends on xmlbeans 2.6.0 > which is exposed to CVE-2021-23926, which is ranked by NIST as 9.1 > critical. Can't we move to version 3.0.1? I tried that and it all built ok. > I also tried version 4.0.0 but that had problems due to API changes. I > think 3.0.1 should be safe, hopefully. > > -- > Regards, > > Andrew Marlow > http://www.andrewpetermarlow.co.uk > >
