Hi All, Has the security issue ( https://devhub.checkmarx.com/cve-details/Cx78f40514-81ff/ ) related to commons-collections:commons-collections:3.2.2 been addressed? I can not see it in release notes.
FYI Tom On Sat, May 25, 2024 at 11:12 PM Gary Gregory <ggreg...@apache.org> wrote: > We have fixed a few bugs and added enhancements since Apache Commons > Validator 1.8.0 was released, so I would like to release Apache > Commons Validator 1.9.0. > > Apache Commons Validator 1.9.0 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/validator/1.9.0-RC1 > (svn revision 69387) > > The Git tag commons-validator-1.9.0-RC1 commit for this RC is > 191171b2fb1500d24c42a809cf13386ac8f4ecac which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-validator.git;a=commit;h=191171b2fb1500d24c42a809cf13386ac8f4ecac > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-validator.git > --branch > <https://gitbox.apache.org/repos/asf/commons-validator.git--branch> > commons-validator-1.9.0-RC1 commons-validator-1.9.0-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1734/commons-validator/commons-validator/1.9.0/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Sat May 25 20:36:23 UTC 2024 > > commons-validator-1.9.0-bin.tar.gz=a755d2be1b9fb3cb75cb71c2c6143969eabd8ba48401dd86cad6c658e0de72e52a887e157ef38e780471382c2da68db228866303f3d4cb4500f995b8b3967476 > > commons-validator-1.9.0-bin.zip=7c0cb444f4e162c46cbd356c8a3c8b166b06bcaf79b6c433ee5ad585498a1f0b4dfef3606ca4beedeef418b5b56209f86cac6dd2c1c8fa4dfe62c679df0018db > > commons-validator-1.9.0-bom.json=7e9baecc1b58f5de101d247b95d871a5b3227603a99eddf8bcce07e3656024dffc615b8ec0b765376bf640f9596581cb483830861878474fe79339bb84352cd3 > > commons-validator-1.9.0-bom.xml=d4a5d380ade4eec7f7a71cb260a61901b5945129bc448894c89ae10d3375a4dac2898be6498eb3aaba60cd8c464837f7884521fc467285c0fc2f129b92e52bf9 > > commons-validator-1.9.0-javadoc.jar=b4b3dee67453e72ea070140d858ff66c45ed5794b69b68760639726cea0edba1224cb2c1cda64411893ded0ba96e2758a7677e2ffa21249899630e39949d88ed > > commons-validator-1.9.0-sources.jar=f91890e90979ed1c7abcebb4b37f223a163bfc73bc3da6a4bc3469d399e7d0ff9315d89e528bab88b53cd0ef0a1c3f8c7e0e463a784f47546ae8ca8f3d4c2269 > > commons-validator-1.9.0-src.tar.gz=4e36f0ec5b1b8ae9724f020c51396332444d7359988fbcceaab004cde30e223b8130315e85d9b3d568fdc30399e9e503783bb81f217fe5f846f9e14c484a1fe0 > > commons-validator-1.9.0-src.zip=201ee0723d5f078b128aa7a54bc2b03494c467e6f2df843d74bf3607d085067a0ea395e1e2174fd3237248f18f8bc5e7469e72fc9378813cbe7e5397e20c03d1 > > commons-validator-1.9.0-test-sources.jar=6fee6648f66e666ff49e99ef3ee49039436bd19b150eb2294d3b6a0e57dab7c0a9e7bcaecde005c478f24a21729d59365e4deb096a579b5044aafa513c90972c > > commons-validator-1.9.0-tests.jar=2c2a13fd3c242c1ab06e9ef8f6f18ed3eae392b8fb0a5c9bbce137ce0e9873820c37197a8517984a42d4804433501521c5f5970ef8ae868f8c6d2a061e88b05e > > commons-validator_commons-validator-1.9.0.spdx.json=bd19d362ae59afbe41425f57e02d4d5c32f99b9e218ebdf6ea8eaa388cb9fb28721e93781f084533e98eb345d9d7bc5a96790e06e0ac1f0d0aaff6db063042fe > > I have tested this with 'mvn' and 'mvn -V -Prelease -Ptest-deploy -P > jacoco -P japicmp clean package site deploy' using: > > openjdk version "17.0.11" 2024-04-16 > OpenJDK Runtime Environment Homebrew (build 17.0.11+0) > OpenJDK 64-Bit Server VM Homebrew (build 17.0.11+0, mixed mode, sharing) > > Apache Maven 3.9.7 (8b094c9513efc1b9ce2d952b3b9c8eaedaf8cbf0) > Maven home: /usr/local/Cellar/maven/3.9.7/libexec > Java version: 17.0.11, vendor: Homebrew, runtime: > /usr/local/Cellar/openjdk@17/17.0.11/libexec/openjdk.jdk/Contents/Home > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "14.5", arch: "x86_64", family: "mac" > > Darwin **** 23.5.0 Darwin Kernel Version 23.5.0: Wed May 1 20:09:52 > PDT 2024; root:xnu-10063.121.3~5/RELEASE_X86_64 x86_64 > > Details of changes since 1.8.0 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/validator/1.9.0-RC1/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/validator/1.9.0-RC1/site/changes-report.html > > Site: > > https://dist.apache.org/repos/dist/dev/commons/validator/1.9.0-RC1/site/index.html > (note some *relative* links are broken and the 1.9.0 directories > are not yet created - these will be OK once the site is deployed.) > > JApiCmp Report (compared to 1.8.0): > > https://dist.apache.org/repos/dist/dev/commons/validator/1.9.0-RC1/site/japicmp.html > > RAT Report: > > https://dist.apache.org/repos/dist/dev/commons/validator/1.9.0-RC1/site/rat-report.html > > KEYS: > https://downloads.apache.org/commons/KEYS > > Please review the release candidate and vote. > This vote will close no sooner than 72 hours from now. > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thank you, > > Gary Gregory, > Release Manager (using key 86fdc7e2a11262cb) > > For following is intended as a helper and refresher for reviewers. > > Validating a release candidate > ============================== > > These guidelines are NOT complete. > > Requirements: Git, Java, Maven. > > You can validate a release from a release candidate (RC) tag as follows. > > 1a) Clone and checkout the RC tag > > git clone https://gitbox.apache.org/repos/asf/commons-validator.git > --branch > <https://gitbox.apache.org/repos/asf/commons-validator.git--branch> > commons-validator-1.9.0-RC1 commons-validator-1.9.0-RC1 > cd commons-validator-1.9.0-RC1 > > 1b) Download and unpack the source archive from: > > https://dist.apache.org/repos/dist/dev/commons/validator/1.9.0-RC1/source > > 2) Check Apache licenses > > This step is not required if the site includes a RAT report page which > you then must check. > > mvn apache-rat:check > > 3) Check binary compatibility > > Older components still use Apache Clirr: > > This step is not required if the site includes a Clirr report page > which you then must check. > > mvn clirr:check > > Newer components use JApiCmp with the japicmp Maven Profile: > > This step is not required if the site includes a JApiCmp report page > which you then must check. > > mvn install -DskipTests -P japicmp japicmp:cmp > > 4) Build the package > > mvn -V clean package > > You can record the Maven and Java version produced by -V in your VOTE > reply. > To gather OS information from a command line: > Windows: ver > Linux: uname -a > > 5) Build the site for a single module project > > Note: Some plugins require the components to be installed instead of > packaged. > > mvn site > Check the site reports in: > - Windows: target\site\index.html > - Linux: target/site/index.html > > -the end- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
