You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Daniel Wille <dw...@gmail.com> on 2021/07/09 14:11:28 UTC
commons-fileupload dependency and CVE
Hi all,
I recently noted that commons-fileupload:commons-fileupload:1.4 has a
dependency on commons-io:commons-io:2.2, which has a CVE (CVE-2021-29425).
This could be mitigated by simply updating the dependency version to 2.7 or
later. Would it be possible to publish a newer version of
commons-fileupload with these changes?
Thanks,
Daniel Wille
Re: commons-fileupload dependency and CVE
Posted by Mark Thomas <ma...@apache.org>.
On 09/07/2021 15:11, Daniel Wille wrote:
> Hi all,
>
> I recently noted that commons-fileupload:commons-fileupload:1.4 has a
> dependency on commons-io:commons-io:2.2, which has a CVE (CVE-2021-29425).
> This could be mitigated by simply updating the dependency version to 2.7 or
> later. Would it be possible to publish a newer version of
> commons-fileupload with these changes?
Mitigate what?
Commons FileUpload doesn't use the code in Commons IO affected by
CVE-2021-29425.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: commons-fileupload dependency and CVE
Posted by Ralph Goers <ra...@dslextreme.com>.
FWIW, Libraries generally are compatible with newer versions for their dependencies, so long
as the major version number doesn’t change. So you can mitigate this yourself by updating
your application to use Commons IO 2.7 or later.
Ralph
> On Jul 9, 2021, at 4:11 AM, Daniel Wille <dw...@gmail.com> wrote:
>
> Hi all,
>
> I recently noted that commons-fileupload:commons-fileupload:1.4 has a
> dependency on commons-io:commons-io:2.2, which has a CVE (CVE-2021-29425).
> This could be mitigated by simply updating the dependency version to 2.7 or
> later. Would it be possible to publish a newer version of
> commons-fileupload with these changes?
>
> Thanks,
> Daniel Wille
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org