Closed adriil closed 1 year ago
Eventually yes (2.13.5), but I don't think I have time to do micro-patch releases in near future. Instead I would recommend users to add explicit woodstox version overrides if they want to.
Also note, however, that the default configuration by XML provider is such that CVE is NOT APPLICABLE -- DTD handling is disabled.
Thank you very much for your quick answer, I didn’t know that the CVE doesn’t apply with default config. I‘ll check and if I finally need it I will override as suggested.
@adriil Yeah unfortunately a big portion of CVEs do not actually apply to many users -- so the whole cost of upgrades yields diminishing value. But then again figuring out if your system is affected is not trivial either; and maintaining overrides/exclusions for security scanners is work too.
I will close this, not because there won't be release but because there will eventually be -- I just need to get 2.14.0 completed first.
Hi team,
Is there a plan to release a version with
woodstox-core:6.4.0
in the2.13.x
line, similar to versions2.13.4.1
and2.13.4.2
published forjackson-databind
?Thanks, Adrien