You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@uima.apache.org by "Richard Eckart de Castilho (Jira)" <de...@uima.apache.org> on 2023/01/23 12:30:00 UTC

[jira] [Commented] (UIMA-6486) Fix for FileUtil vulnerability in UIMA 2.*?

    [ https://issues.apache.org/jira/browse/UIMA-6486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17679776#comment-17679776 ] 

Richard Eckart de Castilho commented on UIMA-6486:
--------------------------------------------------

There are no plans to release any new versions of the 2.x line. We have even removed references to v2 from the website recently - it is no longer supported.

The suggested course of action is to upgrade to v3.

Alternatively, you can fix the issue yourself and perform an internal release. 

Or you could become a contributor, fix v2 and propose to prepare a new release yourself. New contributors are always welcome.

We also do not use Jira anymore. Please open issues in the GitHub issue tracker: https://github.com/apache/uima-uimaj/issues/new/choose

> Fix for FileUtil vulnerability in UIMA 2.*?
> -------------------------------------------
>
>                 Key: UIMA-6486
>                 URL: https://issues.apache.org/jira/browse/UIMA-6486
>             Project: UIMA
>          Issue Type: Bug
>    Affects Versions: 2.11.0SDK
>            Reporter: Benjamin De Boe
>            Priority: Major
>
> Hi, 
> we distribute a custom annotator built on UIMA v2, which is affected by https://nvd.nist.gov/vuln/detail/CVE-2022-32287. We do not have any near-term bandwidth to upgrade our library to v3, and more critically some of our customers have other pipelines still running on v2 that they may not be able to migrate to v3 any time soon.
> Are there any plans to deliver a new v2.11 bugfix release that addresses this vulnerability?
> Thanks!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)