Thanks to
Fred Bricon who suggested that I contact this list:
>>Usually,
guava versions need to be aligned across all Eclipse
projects, so you might want to raise the issue in the
cross-projects ML
My team
builds an Eclipse product which includes m2e.
Our company
policy requires us to scan for CVEs and we found several
affecting m2e, including CVE-2018-10237, which m2e is
exposed to via dependence on a vulnerable version of guava.
m2e is
currently using 21.0.0 which is the latest which is
currently available in Orbit.
The CVE is
fixed starting with guava 24.1.1.
The latest
guava release is 27.1.
In order to
work around this issue, my team forked m2e locally and
updated our fork to use guava 27.0.1 (as mentioned in Bug
547338).
I’d like to
add guava 27.0.1 or 27.1 (pending compatibility
investigation) to orbit so that eclipse projects can switch
to a guava that is not vulnerable to any published CVEs.
I plan to
open a change request with Orbit for this.
What else is
needed to move this forward in time for 2019-06?