You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Joe Witt (Jira)" <ji...@apache.org> on 2022/11/08 16:56:00 UTC
[jira] [Resolved] (NIFI-10779) Apache Nifi latest version is packaged with Vulnerable version of Apache Texts
[ https://issues.apache.org/jira/browse/NIFI-10779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joe Witt resolved NIFI-10779.
-----------------------------
Resolution: Information Provided
If you were reporting a true vulnerability please follow our security guidance on our site.
We have resolved these concerns on our main branch. We will have this in 1.19.0. We don't currently have a plan to make a 1.18.1 but it is possible/likely depending on how long until we do 1.19.0.
We dont have direct exposure to the vulnerable method but nevertheless in this climate we lean to removing all such library versions deemed dangerous.
> Apache Nifi latest version is packaged with Vulnerable version of Apache Texts
> ------------------------------------------------------------------------------
>
> Key: NIFI-10779
> URL: https://issues.apache.org/jira/browse/NIFI-10779
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.18.0
> Reporter: GANESH NAGARAJAN
> Priority: Major
>
> [Release Notes - ASF JIRA (apache.org)|https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12352150]
> Version 1.18 - Didn't mention any issues resolved towards apache texts vulnerability
> [Apache Commons Text Remote Code Execution Vulnerability (zscaler.com)|https://www.zscaler.com/blogs/security-research/security-advisory-apache-commons-text-remote-code-execution-vulnerability]
>
> When do we expect this vulnerability to be resolved and when the next version would be available for us to use and have clean softwares
--
This message was sent by Atlassian Jira
(v8.20.10#820010)