This is an automated email from the ASF dual-hosted git repository. psteitz pushed a commit to branch LANG_2_X in repository https://gitbox.apache.org/repos/asf/commons-lang.git
commit 60cad980fc41de382a1e4c192c55174dc508ed5b Author: Phil Steitz <[email protected]> AuthorDate: Sun Nov 16 11:05:32 2025 -0700 Update changelog for ClassUtils StackOverflow fix (PR #1492). --- src/site/changes/changes.xml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/site/changes/changes.xml b/src/site/changes/changes.xml index e47a2b9fe..8f87a7390 100644 --- a/src/site/changes/changes.xml +++ b/src/site/changes/changes.xml @@ -21,6 +21,10 @@ </properties> <body> <release version="2.7" date="TBA" description="TBA (requires minimum of Java 1.3)"> + <action type="fix" dev="psteitz" due-to="OSS-Fuzz, Gary Gregory, Vladimir Sitnikov"> + Rewrite ClassUtils.getClass(...) without recursion to avoid StackOverflowError on very long inputs. + OSS-Fuzz Issue 42522972: apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security exception in org.apache.commons.lang3.ClassUtils.getClass. + </action> <action issue="LANG-807" type="fix">RandomStringUtils throws confusing IAE when end <= start</action> <action issue="LANG-805" type="fix">RandomStringUtils.random(count, 0, 0, false, false, universe, random) always throws java.lang.ArrayIndexOutOfBoundsException</action> <action issue="LANG-803" type="fix">LocaleUtils - DCL idiom is not thread-safe.</action>
