Hello Ravi, It is technically possible but I personally do not want to take the time to dig the repository on your behalf. I am sorry but I have other priorities right now.
Gary On Fri, Dec 17, 2021, 05:10 Ravi Yelamarthy <ravi.yelamar...@oracle.com> wrote: > Hi Gary, > > > > Thanks for your mail. > > > > In almost all versions of our Product we have upgraded commons-io to > v2.11.0 which is latest. We have couple of old versions of our product > where we still support Java7 and here we need CVE-2021-29425 to be fixed in > commons-io. > > > > We can see that commons-io <https://commons.apache.org/proper/commons-io/> > v2.6 is the last release which is based on Java7. > > > > We would like to do the below and need your little help here: > > > > We would like to download commons-io v2.6 source > <https://archive.apache.org/dist/commons/io/source/> and apply > CVE-2021-29425 changes to it and build (using java7) the library ourselves > and use it. Before using it we have an official process to get approvals to > use it which we will be doing. > > > > Normally we follow this process to libraries for which we use and if there > is no official release for more than 2 years. In such cases, we absorb the > source of that library, maintain it and fix any of the CVE’s reported in it > and use. > > > > Can we get the github link for changes to CVE-2021-29425? Preferably from > v2.7 branch so that it will be easy for us to port the changes to v2.6 for > our usage. > > > > Is this possible? > > > > Thanks and Regards, > > Ravi. > > > > *From:* Gary Gregory [mailto:garydgreg...@gmail.com] > *Sent:* Monday, December 13, 2021 5:47 PM > *To:* Commons Users List <user@commons.apache.org> > *Cc:* Ravi Yelamarthy <ravi.yelamar...@oracle.com> > *Subject:* [External] : Re: [io] Regarding CVE-2021-29425: APACHE COMMONS > IO UPDATE > > > > Hello Surendra, > > > > You will need to update to Commons IO 2.7 or later, the current version is > 2.11.0. > > > > Commons IO 2.4 is based on Java 6, see > https://commons.apache.org/proper/commons-io/ > <https://urldefense.com/v3/__https:/commons.apache.org/proper/commons-io/__;!!ACWV5N9M2RV99hQ!ZLk678UoSfblFzvZBfqrtqkmPDMY_fwHd7Mz0TRKT3B2GN1t1lky3GkH2HOyuDdD474x$> > for which version requires which Java version. > > > > There is no currently planned support for old versions of Commons IO based > on Java 6 or 7. > > > > Gary > > > > > > On Mon, Dec 13, 2021 at 6:08 AM Surendra Pulukuri < > surendra.puluk...@oracle.com> wrote: > > Hi Team, > > As per this security vulnerability CVE-2021-29425, we are using commons-io > v2.4 as a 3rd party application in our code base (Java1.7 compatible), to > move to latest version of commons-io where the security vulnerability > CVE-2021-29425 has fixed starting from v2.7 OR v2.11.0 both are Java 1.8 > compatible. > > Is there any way to use v2.6(the final version commons-io which is > compatible with Java 1.7) with security vulnerability CVE-2021-29425 in it? > Or is there any plans to make security vulnerability CVE-2021-29425 fix on > commons-io v2.6? > > Please guide us. This is blocking our patch to customers. > > Thanks, > Surendra > >
