Open eduarddrenth opened 1 month ago
This will be in the next release
Some more: lucene CVE-2024-45772 and javax.json CVE-2023-7272.
For lucene dep I use version 9.12.0 now with stanford, seems to be working fine (but all I do is return new Sentence(form).lemmas();
so I might never touch lucene)
if i update javax.json to
https://repo1.maven.org/maven2/org/glassfish/jakarta.json/1.1.6/
do you know if that will solve your problems with that library? i have no idea what effect updating to 2.... would have
the lucene stuff is for a specific package which we're not sure too many people use (@manning wants me to delete it entirely)
for lucene, what about the 7.7.3 series? again i feel wary bumping the major version number without actually knowing anything about the package that uses it
https://mvnrepository.com/artifact/org.apache.lucene/lucene-core/7.7.3
but if that still has security problems then i guess it's time to do something bigger
Perhaps, but I think that version has the vulnerability as well. There will probably be some impact here. But it could be that the way Stanford uses lucene doesn't expose the vulnerability.
Op wo 9 okt. 2024 01:53 schreef John Bauer @.***>:
for lucene, what about the 7.7.3 series? again i feel wary bumping the major version number without actually knowing anything about the package that uses it
https://mvnrepository.com/artifact/org.apache.lucene/lucene-core/7.7.3
but if that still has security problems then i guess it's time to do something bigger
— Reply to this email directly, view it on GitHub https://github.com/stanfordnlp/CoreNLP/issues/1465#issuecomment-2401006780, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACN2KKCRYJD4BFIWT7WNREDZ2RWBBAVCNFSM6AAAAABORRMB2WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBRGAYDMNZYGA . You are receiving this because you authored the thread.Message ID: @.***>
My build shows:
[ERROR] protobuf-java-3.19.6.jar: CVE-2024-7254(8.699999809265137)
Can you please update xthis dependency?