We are using v121p_2024-10-20. It has the vulnerable jar velocity-1.7.jar. I understand that you have upgraded the velocity jar in SmartClient 13 and 14. But the upgrade to 13 or 14 breaks our product. It is major effort to make our product work with SmartClent 13 or 14. Our customers are pushing us to have a SmartCient without the vulnerable jar quickly. We request a patched version based on v121p that does not have the vulnerable velocity jar. Thank you!
-
-
SmartClient 12.1 has no known security vulnerabilities - we don't use Velocity in a way that would make the framework vulnerable, so there is nothing to fix.
Also, there are currently no known backcompat issues with later versions (such as 13 or 14), so there is also nothing for us to do here.
The only possible thing would be to have us fork 12.1 just for you, just to satisfy concern over a vulnerability that does not exist. That would be very expensive for you, and couldn't be delivered any sooner than you can address issues in your product so that you can use 13 or 14.
Comment