Hi!
for the record, we just use one single function of Apache commons-text,
the StringEscapeUtils() method, which is not impacted by the CVE AFAICT,
so I think we are safe.
However, for clarity, and also to avoid the LDAP API being flagged as
dubious by systems that look up at vulnerable third party libraries, we
should certainly cut a new version with an updated commons-text version.
I will work on it ASAP.
Thanks !
On 2022/10/27 10:30, Travis Spencer wrote:
Good morning, all.
org.apache.directory.api:api-all depends on Apache text-commons
version 1.9 which has a CVE with a score of 9.8. Is there an update in
the works that uses a non-vulnerable version of text-commons? I didn't
find an issue in Jia.
Also, is the usage of the LDAP client susceptible to the issue?
The CVE is CVE-2022-42889.
--
TIA!
Travis Spencer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@directory.apache.org
For additional commands, e-mail: users-h...@directory.apache.org
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@directory.apache.org
For additional commands, e-mail: users-h...@directory.apache.org
