The library is a dependency of a dependency of Candlepin.
From what I know the Candlepin-team aims to update the dependency for next release. Whether they will also backport it to stable foreman/katello-versions, I have no information.
Thanks for answering my last questions.
I just updated foreman to 3.5 .1 and katello to 4.7.
I do see that candlepin in the repo still is on 4.2.3-1. (makes me a little sad)
I guess that removing commons-text-1.9.jar will destroy the running config.
I think I’ll try to replace commons-text-1.9 with 1.10 to avoid security issues.
(the security team really want that 1.9 gone).
Or would you try to fix this another way?
Hello, I am also under pressure of the security department,
in case of replacing of the commons-text-1.9.jar (or commons-text-1.8.jar in my case), is it sufficient to download commons-text-1.10.0-bin.zip from https://dlcdn.apache.org/ and then put commons-text-1.10.jar to /var/lib/tomcat/webapps/candlepin/WEB-INF/lib/ directory and remove the /var/lib/tomcat/webapps/candlepin/WEB-INF/lib/commons-text-1.8.jar ?
What I just did, (some minutes ago)
put the commons-text-1.10.jar in that folder (changed permissions to tomcat:tomcat)
set the 1.9 to my homefolder, and rebooted. (just to be sure).
Everything still seems to work.
Hi, I think he means he makes backup of this file into his homefolder. Anyway as far as I know there is already a fix for this issue in the katello 4.7.3