Vulnerable package org.scala-lang:scala-library:2.13.3 included in sfp-lite packages for 38.4.1 and 39.0.3 #92
Assignees
Labels
Comments
azlam-abdulsalam
pushed a commit
that referenced
this issue
Jul 10, 2024
Update apexlink to 3.1.2 to fix issue #92
5 tasks
|
@thraco thanks for brining this into attention, we will release a patch asap |
|
thanks @azlam-abdulsalam! |
dieffrei
added a commit
that referenced
this issue
Jul 12, 2024
Update apexlink to 3.1.2 to fix issue #92 Co-authored-by: azlam <[email protected]> Co-authored-by: Diéffrei Quadros <[email protected]>
|
We are facing some issues while rebuilding apexlink, will keep everyone posted when the patch is ready |
|
Fixed in 783b1c9 |
|
Fantastic, thank you @azlam-abdulsalam ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
#49 did not completely resolve the issue raised in #46 by @JonnyPower. scala-library:2.13.3 is still included in the published packages for 38.4.1 and 39.0.3. #47 was closed without merging, but did include the upgrade of this package to 2.13.13.
To Reproduce
Steps to reproduce the behavior:
Or, look here: https://github.com/flxbl-io/sfp/blob/%40flxbl-io/sfp%4038.4.1/packages/apexlink/jars/scala-library-2.13.3.jar
Expected behavior
sfp-lite no longer includes scala-library:2.13.3, which has the critical vulnerability CVE-2022-36944
The text was updated successfully, but these errors were encountered: