From 35d4ad7e9638d7994d3c801fd22b91f6e504a136 Mon Sep 17 00:00:00 2001
From: Valery Kharseko <vharseko@3a-systems.ru>
Date: Mon, 24 Jun 2024 13:08:35 +0300
Subject: [PATCH] CVE-2020-13936 Sandbox Bypass in Apache Velocity Engine (#38)

---
 .github/workflows/release.yml | 16 ++++++++--------
 OpenICF-maven-plugin/pom.xml  | 22 +---------------------
 2 files changed, 9 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7fdc400e..0785edcb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -68,14 +68,14 @@ jobs:
           fail_on_unmatched_files: false
           generate_release_notes: true
           files: |
-            OpenICF-java-framework/openicf-zip/target/*.zip
-            OpenICF-csvfile-connector/target/*.jar
-            OpenICF-databasetable-connector/target/*.jar
-            OpenICF-groovy-connector/target/*.jar
-            OpenICF-kerberos-connector/target/*.jar
-            OpenICF-ldap-connector/target/*.jar
-            OpenICF-ssh-connector/target/*.jar
-            OpenICF-xml-connector/target/*.jar
+            OpenICF-java-framework/openicf-zip/target/*${{ github.event.inputs.releaseVersion }}.zip
+            OpenICF-csvfile-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-databasetable-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-groovy-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-kerberos-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-ldap-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-ssh-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-xml-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
   release-docker:
     name: Docker release
     runs-on: 'ubuntu-latest'
diff --git a/OpenICF-maven-plugin/pom.xml b/OpenICF-maven-plugin/pom.xml
index d5ada996..028fbf3e 100644
--- a/OpenICF-maven-plugin/pom.xml
+++ b/OpenICF-maven-plugin/pom.xml
@@ -158,31 +158,11 @@
         <dependency>
             <groupId>org.codehaus.plexus</groupId>
             <artifactId>plexus-velocity</artifactId>
-            <version>1.1.8</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.codehaus.plexus</groupId>
-                    <artifactId>plexus-container-default</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.codehaus.plexus</groupId>
-                    <artifactId>plexus-component-api</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>velocity</groupId>
-                    <artifactId>velocity</artifactId>
-                </exclusion>
-            </exclusions>
+            <version>1.2</version>
         </dependency>
 
 
         <!-- other -->
-        <dependency>
-            <groupId>org.apache.velocity</groupId>
-            <artifactId>velocity</artifactId>
-            <version>1.7</version>
-        </dependency>
-
         <dependency>
             <groupId>org.apache.maven.reporting</groupId>
             <artifactId>maven-reporting-exec</artifactId>