Hi, I've gone ahead and approved it after review. Since I'm not active in beanutils, I'd prefer someone else to either merge it or add an approval review first. My company has also been moving toward eliminating vulnerable versions of dependencies, and we use beanutils (1.9.x currently) in some limited fashion.
On Thu, 23 May 2019 at 06:29, Melloware Inc <melloware...@gmail.com> wrote: > > Hey All!, > > First time contributor here. My company has a corporate goal to only use > open source libraries with NO open Security CVE's marked as critical. > > BeanUtils has CVE-2014-0114 marked as critical so I opened a ticket: > https://issues.apache.org/jira/browse/BEANUTILS-520 > > I submitted my first Apache Commons PR which addresses the issue which I > was hoping I could get code reviewed and hopefully merged. I followed all > guidelines and included a specific unit test to prove the issue and the fix. > > Pull Request: https://github.com/apache/commons-beanutils/pull/7 > > I really feel like this is an important fix to have security on by default > and still allow the ability to opt-out and make it backwards compatible. I > hope the Apache community feels the same way! > > Thanks, > Melloware -- Matt Sicker <boa...@gmail.com> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
