Re: [cross-project-issues-dev] [Bug 547338] Update to guava 24.1.1+(fix

[Aleksandar Kurtakov <akurtako@xxxxxxxxxx>]

On Thu, May 16, 2019 at 10:48 AM Dietrich, Christian <christian.dietrich@xxxxxxxxx> wrote:

well the security problem is there for a long time and this was brought up on orbit https://www.eclipse.org/lists/orbit-dev/msg05047.html in february and nothing happened. so i have doubts regarding urgency

Just for the record Orbit project itself can not do anything. It's up for some project with actual dependency on given library to open CQ for newer version and after that add it to Orbit. Once there is a fixed version in Orbit the logical step from Orbit project POV is to remove the version with CVE from its latest build.  Thus contacts should be made with the actual projects contributing the offensive versions to release train or nothing can't happen as most people probably don't read orbit-dev at all.

I know that most people know it but I felt the need to repeat it :)

 

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

--

Alexander Kurtakov

Red Hat Eclipse Team