jaxb-tools icon indicating copy to clipboard operation
jaxb-tools copied to clipboard
verified publisher icon highsource

Request for release due to updated commons-io

Open joffeoja opened this issue 10 months ago • 1 comments

Please make point releases for the at least the *-runtime modules that would fix the vulnerability related to commons-io. I see that the dependabot PR for version 2.11.0->2.14.0 was merged a while back so the code should already be good to go.

Here are two maven links with the vulnerability for reference:

  • https://mvnrepository.com/artifact/org.jvnet.jaxb/jaxb-plugins-runtime/4.0.8
  • https://mvnrepository.com/artifact/org.jvnet.jaxb/jaxb2-basics-runtime/2.0.14

joffeoja avatar Feb 21 '25 06:02 joffeoja

Hi @joffeoja

Thanks for the report, we are working on this with @mattrpav

Regards

laurentschoelens avatar Feb 21 '25 07:02 laurentschoelens

Note: commons-io is used as a test dependency, so the CVE does not apply.

I'll start a set of release to calm down the repo security scan tools anyway.

mattrpav avatar Mar 31 '25 21:03 mattrpav

4.0.9 release complete

laurentschoelens avatar Apr 11 '25 07:04 laurentschoelens

2.0.15 released too Need to publish releases notes

laurentschoelens avatar Apr 11 '25 08:04 laurentschoelens