The Apache Ant Team is pleased to announce the release of Apache Ivy 2.5.2.
Apache Ivy is a dependency manager focusing on flexibility and simplicity with strong integration into the Apache Ant build tool. Ivy 2.5.2 is bugfix release and addresses an XML external entity injection vulnerability, see the upcoming CVE announcement or https://ant.apache.org/ivy/security.html for details. Source and binary distributions are available for download from the Apache Ivy download site: https://ant.apache.org/ivy/download.cgi When downloading, please verify signatures using the KEYS file available at the above location when downloading the release. Changes in 2.5.2 include: ========================= - FIX: ivy:retrieve could fail because of a `NullPointerException` (jira:IVY-1641[]) - FIX: reading POMs may loose dependencies when multiple Maven dependencies only differ in `classifier` (jira:IVY-1642[]) - IMPROVEMENT: Upgrade Apache HttpClient to 4.5.13 (jira:IVY-1644[]) - FIX: CVE-2022-46751: Apache Ivy Is Vulnerable to XML External Entity Injections For complete information on Ivy, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Ivy website: https://ant.apache.org/ivy/ Stefan Bodewig, on behalf of the Apache Ant community --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@ant.apache.org For additional commands, e-mail: user-h...@ant.apache.org
