Security vulnerabilities

[codelano]

Security vulnerabilities are reported since 2.0 version up to curent 2.10.0 version.
https://nvd.nist.gov/vuln/detail/CVE-2019-16942
https://nvd.nist.gov/vuln/detail/CVE-2019-16943
https://nvd.nist.gov/vuln/detail/CVE-2019-17531
Do you have any plans to address these?

[cowtowncoder]

@codelano I am not familiar with these CVEs. Have you looked issue tracker here, if they match for any fixes? Looking at jars mentioned I would guess some or maybe all are fixed.
The only unreleased (wrt 2.9 branch) fix would be #2526.

Given that they are about Default Typing, 2.10.0 and later are not affected.

[cowtowncoder]

Ok. Next time please have a look at issue tracker yourself. Fixes that cover these are

• Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943) #2478 (first two)
• Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531) #2498 (last one)

Both included in 2.9.10.1 release; 2.10.0 and later not affected.

I do have better things to do than work as search engine for lazy users.