Operational risk identified in Jakarta Activation

Question

Operational risk identified in Jakarta Activation

SOUJANYAPULIGILLA opened this issue a year ago · 1 comments

We wanted to bring to your attention that during the industry-standard security scan in our frameworks, a potential operational
risk was detected in the com.sun.activation:jakarta.activation:2.0.1 library. To mitigate this risk, we are actively investigating the issue and working identifying a newer version of com.sun.activation:jakarta.activation that addresses the identified security concern and also need some info on jakarta.activation-api.
Is jakarta.activation-api(https://mvnrepository.com/artifact/jakarta.activation/jakarta.activation-api/2.1.2
) and jakarta.activation(https://mvnrepository.com/artifact/com.sun.activation/jakarta.activation/2.0.1
) depedencies same.
Our priority is to ensure the security and reliability of our software.
We request you to please provide a newer version of vulnerable free 'Jakarta Activation' library or please let us know if both depedencies are same, do we need to move to Jakarta Activation API.

Answer 1 · 2024-01-05T17:05:45.000Z

Is jakarta.activation-api(https://mvnrepository.com/artifact/jakarta.activation/jakarta.activation-api/2.1.2
) and jakarta.activation(https://mvnrepository.com/artifact/com.sun.activation/jakarta.activation/2.0.1
) depedencies same.

to move from com.sun.activation:jakarta.activation:2.0.1 to a newer version, you have to use jakarta.activation:jakarta.activation-api:2.1.2 with org.eclipse.angus:angus-activation:2.0.1