On 13/11/2025 16:21, Vladimir Sitnikov wrote:
Would you please consider fixing the CVE and releasing it via 2.6.1?
As far as I understand, backporting the fix would be trivial, and it would
really help
for those who still use commons-lang:2.6.
I could help with backporting the fix, however I would need the help of PMC
to release 2.6.1
That would probably be a waste of time since neither json-lib 2.3 nor
ezmorph 1.0.6 use the ClassUtils class affected by the CVE:
wget
https://repo1.maven.org/maven2/net/sf/ezmorph/ezmorph/1.0.6/ezmorph-1.0.6-sources.jar
unzip ezmorph-1.0.6-sources.jar
wget
https://repo1.maven.org/maven2/net/sf/json-lib/json-lib/2.3/json-lib-2.3-jdk15-sources.jar
unzip json-lib-2.3-jdk15-sources.jar
grep -R ClassUtils .
Emmanuel Bourg
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
