AFAICT the CVE relates to FileNameUtils.normalize. I suggest you compare the current code with the code in 2.6 and apply any changes.
You can also look through the Github commit log for changes relating to the file that contains the method. On Fri, 17 Dec 2021 at 14:14, Gary Gregory <garydgreg...@gmail.com> wrote: > > Hello Ravi, > > It is technically possible but I personally do not want to take the time to > dig the repository on your behalf. I am sorry but I have other > priorities right now. > > Gary > > > > On Fri, Dec 17, 2021, 05:10 Ravi Yelamarthy <ravi.yelamar...@oracle.com> > wrote: > > > Hi Gary, > > > > > > > > Thanks for your mail. > > > > > > > > In almost all versions of our Product we have upgraded commons-io to > > v2.11.0 which is latest. We have couple of old versions of our product > > where we still support Java7 and here we need CVE-2021-29425 to be fixed in > > commons-io. > > > > > > > > We can see that commons-io <https://commons.apache.org/proper/commons-io/> > > v2.6 is the last release which is based on Java7. > > > > > > > > We would like to do the below and need your little help here: > > > > > > > > We would like to download commons-io v2.6 source > > <https://archive.apache.org/dist/commons/io/source/> and apply > > CVE-2021-29425 changes to it and build (using java7) the library ourselves > > and use it. Before using it we have an official process to get approvals to > > use it which we will be doing. > > > > > > > > Normally we follow this process to libraries for which we use and if there > > is no official release for more than 2 years. In such cases, we absorb the > > source of that library, maintain it and fix any of the CVE’s reported in it > > and use. > > > > > > > > Can we get the github link for changes to CVE-2021-29425? Preferably from > > v2.7 branch so that it will be easy for us to port the changes to v2.6 for > > our usage. > > > > > > > > Is this possible? > > > > > > > > Thanks and Regards, > > > > Ravi. > > > > > > > > *From:* Gary Gregory [mailto:garydgreg...@gmail.com] > > *Sent:* Monday, December 13, 2021 5:47 PM > > *To:* Commons Users List <user@commons.apache.org> > > *Cc:* Ravi Yelamarthy <ravi.yelamar...@oracle.com> > > *Subject:* [External] : Re: [io] Regarding CVE-2021-29425: APACHE COMMONS > > IO UPDATE > > > > > > > > Hello Surendra, > > > > > > > > You will need to update to Commons IO 2.7 or later, the current version is > > 2.11.0. > > > > > > > > Commons IO 2.4 is based on Java 6, see > > https://commons.apache.org/proper/commons-io/ > > <https://urldefense.com/v3/__https:/commons.apache.org/proper/commons-io/__;!!ACWV5N9M2RV99hQ!ZLk678UoSfblFzvZBfqrtqkmPDMY_fwHd7Mz0TRKT3B2GN1t1lky3GkH2HOyuDdD474x$> > > for which version requires which Java version. > > > > > > > > There is no currently planned support for old versions of Commons IO based > > on Java 6 or 7. > > > > > > > > Gary > > > > > > > > > > > > On Mon, Dec 13, 2021 at 6:08 AM Surendra Pulukuri < > > surendra.puluk...@oracle.com> wrote: > > > > Hi Team, > > > > As per this security vulnerability CVE-2021-29425, we are using commons-io > > v2.4 as a 3rd party application in our code base (Java1.7 compatible), to > > move to latest version of commons-io where the security vulnerability > > CVE-2021-29425 has fixed starting from v2.7 OR v2.11.0 both are Java 1.8 > > compatible. > > > > Is there any way to use v2.6(the final version commons-io which is > > compatible with Java 1.7) with security vulnerability CVE-2021-29425 in it? > > Or is there any plans to make security vulnerability CVE-2021-29425 fix on > > commons-io v2.6? > > > > Please guide us. This is blocking our patch to customers. > > > > Thanks, > > Surendra > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
