Please bump `commons-text` to 1.10.0 or newer

imagej / imagej2

Open scientific N-dimensional image processing :microscope: :sparkler:

https://imagej.net/

BSD 2-Clause "Simplified" License

1.2k stars 337 forks source link

Please bump `commons-text` to 1.10.0 or newer #309

Closed Jarek-Sacha closed 2 years ago

Jarek-Sacha commented 2 years ago

Fiji (Java-8) installs commons-text-1.9.jar that suffers from CVE-2022-42889.

commons-text-1.9.jar is being flagged by security scanners. As a results people a being asked to remove Fiji by their Information Security organizations.

A simple fix is to just bump this commons-text to version 1.10.0 that resolves the security issue.

ctrueden commented 2 years ago

@Jarek-Sacha The next version of ImageJ2, which will be 2.10.0, will include an update to commons-text 1.10.0, among many other updates (the update was made with scijava/pom-scijava@c62c9b3358d76d2884de3f8e3a60e4de6c718350). I expect to make the new ImageJ2 and Fiji releases within the next 3-10 days.

ctrueden commented 2 years ago

@Jarek-Sacha In addition, I have updated the Java-8 update site with the commons-text 1.10.0 update, to address the immediate hassle.