Sean Leary

Yes, the new release will come out later today.

Release `20231013` is available, and is the earliest version that fixes the vulnerability. Have patience, it can take some time before it appears in the Maven repo.

@lhazlewood It was not strictly necessary. How important is this to you? What version of Java do you use? Can you upgrade to Java 8?

@elrob @TimoBuechert Release `20231013` is now available in the Maven public repository.

@PayBas Thanks for checking. Perhaps they found a different way to recreate the problem.

The CVE still appears to be under analysis, but hopefully it will be cleared soon, too. https://nvd.nist.gov/vuln/detail/CVE-2023-5072

@lhazlewood Yes, this can be done. Will the same code in a different repo work for you?

@lhazlewood It has not been decided yet. Might be a different repo that is published to Maven and tracks JSON-Java but is Java 7 compatible, or #741 might be reverted,...

@johnjaylward Your idea sounds like a good approach and probably the least disruptive of the options. What do you think this would look like in the Maven repo?

@nathan454 Are you working on the same project as @lhazlewood, or is this a new request?