maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrico Olivelli <eolive...@gmail.com>
Subject Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
Date Sun, 02 Jun 2019 14:04:53 GMT
We are working hard to get this done.

I will commit as soon as CI is green (blue...)

Enrico

Il sab 1 giu 2019, 10:02 Enrico Olivelli <eolivelli@gmail.com> ha scritto:

> If there is any complaint I will commit the change.
> We are already moving to java8 other plugins that are not part of the core
> lifecycle (Maven 3 supports java7)
>
>
> Enrico
>
> Il ven 31 mag 2019, 21:43 Enrico Olivelli <eolivelli@gmail.com> ha
> scritto:
>
>> +1
>> Enrico
>>
>> Il ven 31 mag 2019, 21:02 Homer, Tony <tony.homer@intel.com> ha scritto:
>>
>>> Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to
>>> CVE-2018-1000632 [1].
>>> I filed ARCHETYPE-567 [2] to track this.
>>> In order to mitigate this vulnerability, an update to dom4j 2.1.1 is
>>> needed.
>>> dom4j 2.1.x requires Java 8+ [3].
>>> dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the
>>> latest release (2.0.2) is vulnerable to CVE-2018-1000632.
>>> The current dev version (2.0.3) seems to contain a fix for
>>> CVE-2018-1000632 but has been pending release for ~1 year.
>>>
>>> I opened PR #28 [4] to make these changes.
>>> What else I should do to advance this proposal?
>>>
>>> Thanks!
>>> Tony Homer
>>>
>>> [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
>>> [2] https://issues.apache.org/jira/browse/ARCHETYPE-567
>>> [3] https://dom4j.github.io
>>> [4] https://github.com/apache/maven-archetype/pull/28
>>>
>>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message