Comment From: wilkinsona
What are you looking for here? Spring Boot doesn't manage the version of Commons Compress used by an application so it's not clear why you've made this request. We do manage the version of Commons Compress for use by our build plugins but its usage there is not vulnerable to CVE-2023-42503 as it isn't exposed to untrusted tar input.
Comment From: MohammadIqbalAD
Thanks for the quick reply.
This CVE was raised by Dependabot and Spring Boot was identified as having the affected Commons Compress version. This ticket was created using a similar format to previous requests for Commons Compress version updates, with the additional reference to the CVE.
Your confirmation of its innocuousness in this context means we'll just ignore the warning :).
Comment From: wilkinsona
spring-boot-buildpack-platform has a hardcoded version (1.19). We'll need to investigate if that's still needed and, ideally, remove it.
Comment From: wilkinsona
We're going to revert this change in 3.1.x and 3.2.x as it's not as internal as we'd hoped. For example, @onobc had to modify his build to accommodate the upgrade due to a version clash with an Artifactory-related dependency in project's buildSrc