Address CVE by bbimber · Pull Request #2022 · broadinstitute/picard

bbimber · 2025-08-21T14:28:36Z

This PR is designed to address CVE-2024-7254: https://nvd.nist.gov/vuln/detail/CVE-2024-7254.

The commons-lang and -io updates are not strictly needed, but they were flagged too, and the GATK repo is using those versions.

bbimber · 2025-09-09T16:08:59Z

Hello @yfarjoun and @lbergelson: I'm not sure where to reach out on this, but you two made recent commits to picard. The practical risk here is probably low, but it's also an easy update to address the CVE. Is there a chance someone would be willing to look at this PR?

lbergelson · 2025-09-10T00:14:07Z

Hi @bbimber. I'm sorry but my team and I are no longer employed at the Broad and have no access to assist with Picard or GATK anymore. it's possible Yossi still does. I'm not sure who is currently responsible for either project. It was good to work with you over the years.

…

On Tue, Sep 9, 2025, 12:09 PM bbimber ***@***.***> wrote: *bbimber* left a comment (broadinstitute/picard#2022) <#2022 (comment)> Hello @yfarjoun <https://github.com/yfarjoun> and @lbergelson <https://github.com/lbergelson>: I'm not sure where to reach out on this, but you two made recent commits to picard. The practical risk here is probably low, but it's also an easy update to address the CVE. Is there a chance someone would be willing to look at this PR? — Reply to this email directly, view it on GitHub <#2022 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABD3RLF33AJCBOBTWTQETKD3R33TDAVCNFSM6AAAAACEO4PNXKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTENZRGM4DCMRWGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

bbimber · 2025-09-10T12:42:04Z

@lbergelson: i had no idea - thanks for you help over the years and best of luck to you!

bbimber · 2025-09-22T12:33:28Z

Hi @yfarjoun - by chance do you still have access to this repo? if not, do you know who is managing this repo now?

lbergelson · 2025-09-22T16:33:13Z

@bbimber Thank you. It was a pleasure working with you. All the best!

bbimber · 2026-01-02T17:02:52Z

Hi @yfarjoun, John Smith suggested that I ping you on this thread. Is there a chance you'd be able to review this minor update to picard? It appears someone was able to kick off tests, which passed.

yfarjoun · 2026-01-06T15:26:56Z

I do not have the authorization to approve picard PRs since I left the Broad.

bbimber · 2026-01-06T15:28:00Z

OK, thanks for replying. I wonder who still does...

bbimber · 2026-01-06T15:30:51Z

Thanks @tfenne!

Address CVE

0dd73ef

tfenne approved these changes Jan 6, 2026

View reviewed changes

tfenne merged commit 1dd3cc5 into broadinstitute:master Jan 6, 2026
6 checks passed

bbimber deleted the cve branch January 6, 2026 15:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Address CVE#2022

Address CVE#2022
tfenne merged 1 commit intobroadinstitute:masterfrom
bbimber:cve

bbimber commented Aug 21, 2025

Uh oh!

bbimber commented Sep 9, 2025

Uh oh!

lbergelson commented Sep 10, 2025 via email

Uh oh!

bbimber commented Sep 10, 2025

Uh oh!

bbimber commented Sep 22, 2025

Uh oh!

lbergelson commented Sep 22, 2025

Uh oh!

bbimber commented Jan 2, 2026

Uh oh!

yfarjoun commented Jan 6, 2026

Uh oh!

bbimber commented Jan 6, 2026

Uh oh!

Uh oh!

bbimber commented Jan 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

bbimber commented Aug 21, 2025

Uh oh!

bbimber commented Sep 9, 2025

Uh oh!

lbergelson commented Sep 10, 2025 via email

Uh oh!

bbimber commented Sep 10, 2025

Uh oh!

bbimber commented Sep 22, 2025

Uh oh!

lbergelson commented Sep 22, 2025

Uh oh!

bbimber commented Jan 2, 2026

Uh oh!

yfarjoun commented Jan 6, 2026

Uh oh!

bbimber commented Jan 6, 2026

Uh oh!

Uh oh!

bbimber commented Jan 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants