-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump commons-compress #8354
Bump commons-compress #8354
Conversation
This addresses CVE-2024-25710 and CVE-2024-26308. Fixes #8338
@eddumelendez is there any chance this will lead to an immediate release of 1.19.6 once merged? |
Hi, thanks for the PR. There is no plan to update the dependency because of a breaking change in the API. See #8169 (comment) However, you can do it by yourself on your build file. |
Yes, I understand that. However, at #8169 (comment) you said
I thought that commons-compress having critical vulnerabilities be one of those "other" reasons. |
I've tested myself that upgrading independently works perfectly fine. As a library we want to avoid users to do things like described in that thread. |
…26.0 Further upgrades for Quesnelia: Upgrade log4j from 2.22.1 to 2.23.0. Upgrade testcontainers from 1.19.5 to 1.19.6. Upgrade commons-compress from 1.24.0 to 1.26.0 fixing https://nvd.nist.gov/vuln/detail/CVE-2024-25710 https://nvd.nist.gov/vuln/detail/CVE-2024-26308 see testcontainers/testcontainers-java#8354
…26.0 Further upgrades for Quesnelia: Upgrade log4j from 2.22.1 to 2.23.0. Upgrade testcontainers from 1.19.5 to 1.19.6. Upgrade commons-compress from 1.24.0 to 1.26.0 fixing https://nvd.nist.gov/vuln/detail/CVE-2024-25710 https://nvd.nist.gov/vuln/detail/CVE-2024-26308 see testcontainers/testcontainers-java#8354
👋🏾 @eddumelendez How'd you manage this?
When I try to upgrade |
This addresses CVE-2024-25710 and CVE-2024-26308. I know your PR template says to not open PRs to bump dependencies. However, since this is security related it has IMO a higher urgency.
Fixes #8338