Re: [beanutils2] CVE-2014-0114 Pull Request
> On May 25, 2019, at 3:15 PM, Matt Sicker wrote: > > Hi, I've gone ahead and approved it after review. Since I'm not active > in beanutils, I'd prefer someone else to either merge it or add an > approval review first. My company has also been moving toward > eliminating vulnerable versions of dependencies, and we use beanutils > (1.9.x currently) in some limited fashion. Will put eyes on this in the next 24 hours. -Rob > >> On Thu, 23 May 2019 at 06:29, Melloware Inc wrote: >> >> Hey All!, >> >> First time contributor here. My company has a corporate goal to only use >> open source libraries with NO open Security CVE's marked as critical. >> >> BeanUtils has CVE-2014-0114 marked as critical so I opened a ticket: >> https://issues.apache.org/jira/browse/BEANUTILS-520 >> >> I submitted my first Apache Commons PR which addresses the issue which I >> was hoping I could get code reviewed and hopefully merged. I followed all >> guidelines and included a specific unit test to prove the issue and the fix. >> >> Pull Request: https://github.com/apache/commons-beanutils/pull/7 >> >> I really feel like this is an important fix to have security on by default >> and still allow the ability to opt-out and make it backwards compatible. I >> hope the Apache community feels the same way! >> >> Thanks, >>Melloware > > > > -- > Matt Sicker > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [beanutils2] CVE-2014-0114 Pull Request
Hi, I've gone ahead and approved it after review. Since I'm not active in beanutils, I'd prefer someone else to either merge it or add an approval review first. My company has also been moving toward eliminating vulnerable versions of dependencies, and we use beanutils (1.9.x currently) in some limited fashion. On Thu, 23 May 2019 at 06:29, Melloware Inc wrote: > > Hey All!, > > First time contributor here. My company has a corporate goal to only use > open source libraries with NO open Security CVE's marked as critical. > > BeanUtils has CVE-2014-0114 marked as critical so I opened a ticket: > https://issues.apache.org/jira/browse/BEANUTILS-520 > > I submitted my first Apache Commons PR which addresses the issue which I > was hoping I could get code reviewed and hopefully merged. I followed all > guidelines and included a specific unit test to prove the issue and the fix. > > Pull Request: https://github.com/apache/commons-beanutils/pull/7 > > I really feel like this is an important fix to have security on by default > and still allow the ability to opt-out and make it backwards compatible. I > hope the Apache community feels the same way! > > Thanks, > Melloware -- Matt Sicker - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[beanutils2] CVE-2014-0114 Pull Request
Hey All!, First time contributor here. My company has a corporate goal to only use open source libraries with NO open Security CVE's marked as critical. BeanUtils has CVE-2014-0114 marked as critical so I opened a ticket: https://issues.apache.org/jira/browse/BEANUTILS-520 I submitted my first Apache Commons PR which addresses the issue which I was hoping I could get code reviewed and hopefully merged. I followed all guidelines and included a specific unit test to prove the issue and the fix. Pull Request: https://github.com/apache/commons-beanutils/pull/7 I really feel like this is an important fix to have security on by default and still allow the ability to opt-out and make it backwards compatible. I hope the Apache community feels the same way! Thanks, Melloware