Address CVE

[bbimber]

This PR is designed to address CVE-2024-7254: https://nvd.nist.gov/vuln/detail/CVE-2024-7254.

The commons-lang and -io updates are not strictly needed, but they were flagged too, and the GATK repo is using those versions.

[bbimber]

Hello @yfarjoun and @lbergelson: I'm not sure where to reach out on this, but you two made recent commits to picard. The practical risk here is probably low, but it's also an easy update to address the CVE. Is there a chance someone would be willing to look at this PR?

[lbergelson]

Hi @bbimber. I'm sorry but my team and I are no longer employed at the Broad and have no access to assist with Picard or GATK anymore. it's possible Yossi still does. I'm not sure who is currently responsible for either project. It was good to work with you over the years.

…

On Tue, Sep 9, 2025, 12:09 PM bbimber ***@***.***> wrote: *bbimber* left a comment (broadinstitute/picard#2022) <#2022 (comment)> Hello @yfarjoun <https://github.com/yfarjoun> and @lbergelson <https://github.com/lbergelson>: I'm not sure where to reach out on this, but you two made recent commits to picard. The practical risk here is probably low, but it's also an easy update to address the CVE. Is there a chance someone would be willing to look at this PR? — Reply to this email directly, view it on GitHub <#2022 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABD3RLF33AJCBOBTWTQETKD3R33TDAVCNFSM6AAAAACEO4PNXKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTENZRGM4DCMRWGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[bbimber]

@lbergelson: i had no idea - thanks for you help over the years and best of luck to you!

[bbimber]

Hi @yfarjoun - by chance do you still have access to this repo? if not, do you know who is managing this repo now?

[lbergelson]

@bbimber Thank you. It was a pleasure working with you. All the best!