CVE-2022-42889 library upgrade

[gregorydlogan]

This pull request upgrades commons-text to handle CVE-2022-42889.

Your pull request should…

• have a concise title
• close an accompanying issue if one exists
• be against the correct branch
• include migration scripts and documentation, if appropriate
• pass automated tests
• have a clean commit history
• have proper commit messages (title and body) for all commits

[github-actions]

This pull request has conflicts ☹
Please resolve those so we can review the pull request.
Thanks.

[lkiesow]

Does that problem affect/endanger Opencast? IF so, we probably need to write a security advisory. Or is this not really affecting Opencast and it's more about getting rid of the warnings?

[gregorydlogan]

It's a good question. It's only in animate, but I don't know that module well enough to know how's its used. It would only affect users running specific WOHs which is why I thought this was more of a dep update than a security issue. I'm fine with doing a security notice though.

[gregorydlogan]

Something brought up in the meeting today: Is Karaf itself affected by this, and which version(s) have they patched? I'll track this.

[lkiesow]

In animate, we only use StringEscapeUtils.escapeXml11 to escape strings we then put into XML. That shouldn't be affected. Hence, I don't think Opencast is affected, and we don't need a security advisory. That is, if Karaf isn't affected.