Hi, Apologies if I posted through the wrong channels. Will have a look to the guidelines. Thanks 🙏 for sharing the pointers on the work that has been done!
1.18.1 could be a good idea I think as you say it would let people more comfortable as there is much noise around this CVE and the immediate conclusion that a patch is needed while it may be a product is not vulnerable to it although having the library as a dependency. Thanks again! /Tom > On 21 Oct 2022, at 20:10, Joe Witt <[email protected]> wrote: > > Tom > > In the future if you're concerned or have questions about a > vulnerability/potential vulnerability please follow the guidance here. > https://nifi.apache.org/security.html > > Here you can see what we've done for this already on main > https://issues.apache.org/jira/browse/NIFI-10648 with more info in > https://github.com/apache/nifi/pull/6531 > > It doesn't seem like it thus far but might be worth kicking out a > 1.18.1 just to help people feel more comfortable. Will share more if > that shapes up. > > Thanks > Joe > >> On Fri, Oct 21, 2022 at 10:50 AM Tom Coudyzer <[email protected]> wrote: >> >> Hi, >> >> I looked on the Apache Nifi site and linked sites to find information on how >> CVE-2022-42889 impacts Apache Nifi. >> >> I found an issue report and merge request which indicates the library Apache >> Commons Text has been upgraded to the patched version (1.10) and it will be >> part of v1.19.0 >> >> I could however not find when this version will be released. Could that be >> checked somewhere? >> >> Second question is if Nifi is impacted by this vulnerability because it >> could be that the usage of this library in Apache Nifi does not allow it to >> exploit this vulnerability. >> >> Thank you very much for any feedback and thank you to the open source >> community for having made Apache Nifi and maintaining/improving this product. >> >> /Tom
