From 1a2ac53369b11fa35c426436bb8911b066c6dd75 Mon Sep 17 00:00:00 2001 From: Michael Born Date: Wed, 21 Feb 2024 10:32:14 -0500 Subject: [PATCH] =?UTF-8?q?Revert=20"=F0=9F=91=8C=20IMPROVE:=20Bump=20Luce?= =?UTF-8?q?e=20loader=20dependency=20to=206.0.0.585=20to=20avoid=20known?= =?UTF-8?q?=20CVEs"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since Lucee 6.x still packages these vulnerable versions, I see no good reason to upgrade our build loader version and possibly break something. This reverts commit b6225e0ab7c943681f6de9313bb92e280195d538. --- CHANGELOG.md | 4 ---- pom.xml | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2de4d0fb..5bacda7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,10 +11,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixes a regression on [OOE-26](https://ortussolutions.atlassian.net/browse/OOE-26) where empty string values are coerced to `NULL` when an ORM type *is* declared. Originally reported against `6.4.0`, resolved in `6.5.0`, then regressed in `6.5.1`. - Resolves [OOE-26](https://ortussolutions.atlassian.net/browse/OOE-26). -### 🔐 Security - -Bump Lucee build dependency to `6.0.0.585` to avoid [vulnerable dependencies in []`org.apache.commons:commons-compress`](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-6254296), [`com.github.mwiede:jsch`](https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBMWIEDE-6130900), and [`org.apache.commons:commons-compress`](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-6254297). NOTE: None of these vulnerabilities are realized in the Ortus ORM Extension, since we do not ship any Lucee code. - ## [6.5.1] - 2024-02-20 ### 🐛 Fixed diff --git a/pom.xml b/pom.xml index 06b81c43..ea53e937 100644 --- a/pom.xml +++ b/pom.xml @@ -307,7 +307,7 @@ lucee-core-version: ${minLuceeVersion} org.lucee lucee - 6.0.0.585 + 5.4.4.38 provided