I would report this issue in the project that depends on the old Velocity version, maybe they will fix it or in the worst case scenario you will have to prepare a PR - hopefully they will merge it quickly :)
This was what I started in parallel to my investigation if 1.7 is vulnerable or not ;o) Unfortunately the library opensaml [1][2] library which have the dependency to Velocity 1.7 seems somehow active (last release February 2021) but I did not find any hint to the related source code repo ;o( Now I try my luck with the project homepage and their issue tracker ;o) [1]: https://search.maven.org/artifact/org.opensaml/opensaml-saml-impl/3.4.6/jar<https://search.maven.org/artifact/org.opensaml/opensaml-core/3.4.6/jar> [2]: https://mvnrepository.com/artifact/org.opensaml/opensaml-saml-impl/3.4.6 [3]: https://wiki.shibboleth.net/confluence/display/OSAML/Home [4]: https://issues.shibboleth.net/jira/projects/OSJ/issues/OSJ-318?filter=allopenissues On 18. Mar 2021, at 08:26, Lukasz Lenart <lukaszlen...@apache.org<mailto:lukaszlen...@apache.org>> wrote: czw., 18 mar 2021 o 08:20 Bolz, Michael <michael.b...@sap.com<mailto:michael.b...@sap.com>> napisał(a): Unfortunately we have not the option to easily update to the new artifacts. As we get Velocity 1.7 as a transitive dependency. Even if we exclude the old 1.7 version and add the 2.3 version we expect problems based on the behaviour and API changes mentioned [1]. Hence, we try to understand if Velocity 1.7 is affected by the CVE-2020-13959 vulnerability. At least currently it looks like it is affected, as the 2.x and 1.x has the same codebase (as far as I understand). I would report this issue in the project that depends on the old Velocity version, maybe they will fix it or in the worst case scenario you will have to prepare a PR - hopefully they will merge it quickly :) Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org<mailto:user-unsubscr...@velocity.apache.org> For additional commands, e-mail: user-h...@velocity.apache.org<mailto:user-h...@velocity.apache.org>
