>AFAICT this would mainly help organizations that do not have the capability >to do '1' but *also* don't have the capability to do '2'
Arnout, what if the vulnerability does impact the software? For instance, what if somebody does use ClassUtils.getClass with user-controllable input? The CVE is trivial to fix in 2.6, so why don't we fix it instead of suggesting everybody sink time on the analysis? >ezmorph and json-lib move to lang3 Both libraries are dead. Migrating them to lang3 would be a pure waste of time. >If someone steps forward volunteering to do >most of the work for completing a 2.x release I'd reluctantly support that, >as I do see the short-term benefit, but I'm not entirely convinced it's the >right long-term choice. I could help with whatever is needed. Frankly, I do not see downsides of releasing a security patch. Vladimir