czw., 18 mar 2021 o 08:20 Bolz, Michael <michael.b...@sap.com> napisał(a): > Unfortunately we have not the option to easily update to the new artifacts. > As we get Velocity 1.7 as a transitive dependency. > Even if we exclude the old 1.7 version and add the 2.3 version we expect > problems based on the behaviour and API changes mentioned [1]. > > Hence, we try to understand if Velocity 1.7 is affected by the CVE-2020-13959 > vulnerability. > At least currently it looks like it is affected, as the 2.x and 1.x has the > same codebase (as far as I understand).
I would report this issue in the project that depends on the old Velocity version, maybe they will fix it or in the worst case scenario you will have to prepare a PR - hopefully they will merge it quickly :) Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org For additional commands, e-mail: user-h...@velocity.apache.org
