How about excluding the offending jar from the Maven distribution for future releases?
Gary On Thu, Oct 3, 2024, 12:29 PM Tamás Cservenák <ta...@cservenak.net> wrote: > Howdy, > > AFAIK it is not. > Guava is not part of Maven API (is not exposed to plugins and such) > and is not used in Maven at all. > The only reason why Guava is present in Maven distro is Guice (as you > noted, Guice depends on Guava), but even then, neither Guice (AFAIK, > have to emphasize, please check) is not using the vulnerable class in > Guava. > Guava is contained but is "confined" in Maven. > > HTH > Tamas > > On Thu, Oct 3, 2024 at 5:45 PM Lakshmi Satya Sai Sindhu Karri > <laka...@microsoft.com> wrote: > > > > Hi Tamas Cservenak, > > > > > > > > Could you please confirm if maven-3.8.x is affected by CVE-2023-2976 ? > > > > > > > > Regards, > > > > Sindhu > > > > From: Lakshmi Satya Sai Sindhu Karri > > Sent: 03 October 2024 10:41 > > To: users@maven.apache.org > > Subject: Requesting fix for CVE-2023-2976 in maven 3.8.x > > > > > > > > Hi, > > > > > > > > Referring to the discussion in [MNG-7828] Bump guava from 30.1-jre to > 32.0.1-jre by bvolpato · Pull Request #1191 · apache/maven (github.com) > which is a fix for > > > > NVD - CVE-2023-2976 (nist.gov), maven-3.8.x is still maintained. > > > > So, Can you confirm if maven-3.8.x is affected by the CVE? Request to > provide a patch if applicable. > > > > > > > > Background about the CVE: > > > > maven-3.8.7 uses guice, which in turn fetches guava-25.1 as a > dependency. Guava-25.1 is vulnerable. A safe guava version is 32.0.1. > > > > > > > > Is there any plan to upgrade the guice version in maven-3.8.x so that > the corresponding guava it fetches is safe? > > > > > > > > Regards, > > > > Sindhu > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >
