mybatis-velocity Apache Velocity 1.7 vulnerability

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

mybatis-velocity Apache Velocity 1.7 vulnerability

Sean Kunevich
Thanks for your work on mybatis-velocity.  Our company has a corporate scanning tool that checks jars for known security vulnerabilities before releasing and has flagged apache-velocity 1.7 as a jar having a high security vulnerability.  We are using the latest 1.4 release of mybatis-velocity which pulls in apache-velocity 1.7.  We know we are not vulnerable but we have a blanket policy that we can no longer ignore and our jar is included in many internal projects.  I noticed that velocity is upgraded in the 2.0-SNAPSHOT https://github.com/mybatis/velocity-scripting/blob/master/pom.xml.  Do you plan on releasing 2.0 anytime soon or is there something preventing a release?

Thanks,
Sean

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: mybatis-velocity Apache Velocity 1.7 vulnerability

Iwao AVE!
Hi Sean,

Have you tried 2.0-SNAPSHOT with your solution?
If you could confirm it's ready, I can do the release.

Regards,
Iwao

On Thu, Dec 6, 2018 at 10:53 PM Sean Kunevich <[hidden email]> wrote:
Thanks for your work on mybatis-velocity.  Our company has a corporate scanning tool that checks jars for known security vulnerabilities before releasing and has flagged apache-velocity 1.7 as a jar having a high security vulnerability.  We are using the latest 1.4 release of mybatis-velocity which pulls in apache-velocity 1.7.  We know we are not vulnerable but we have a blanket policy that we can no longer ignore and our jar is included in many internal projects.  I noticed that velocity is upgraded in the 2.0-SNAPSHOT https://github.com/mybatis/velocity-scripting/blob/master/pom.xml.  Do you plan on releasing 2.0 anytime soon or is there something preventing a release?

Thanks,
Sean

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: mybatis-velocity Apache Velocity 1.7 vulnerability

Sean Kunevich
That would be amazing!  I have not tried the snapshot yet but let me do so now, run the unit tests and have our QA team run their regression tests.

Thanks,
Sean

On Tue, Dec 11, 2018 at 8:49 AM Iwao AVE! <[hidden email]> wrote:
Hi Sean,

Have you tried 2.0-SNAPSHOT with your solution?
If you could confirm it's ready, I can do the release.

Regards,
Iwao

On Thu, Dec 6, 2018 at 10:53 PM Sean Kunevich <[hidden email]> wrote:
Thanks for your work on mybatis-velocity.  Our company has a corporate scanning tool that checks jars for known security vulnerabilities before releasing and has flagged apache-velocity 1.7 as a jar having a high security vulnerability.  We are using the latest 1.4 release of mybatis-velocity which pulls in apache-velocity 1.7.  We know we are not vulnerable but we have a blanket policy that we can no longer ignore and our jar is included in many internal projects.  I noticed that velocity is upgraded in the 2.0-SNAPSHOT https://github.com/mybatis/velocity-scripting/blob/master/pom.xml.  Do you plan on releasing 2.0 anytime soon or is there something preventing a release?

Thanks,
Sean

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "mybatis-user" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mybatis-user/URQ0ajkUxV0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.