maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Elliotte Rusty Harold <elh...@ibiblio.org>
Subject Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
Date Mon, 03 Jun 2019 13:59:02 GMT
Perhaps ask the dom4j developers first to see if a 2.0.3 release can
be scheduled.

And if that doesn't work, how much effort is it to switch off of dom4j
completely?

maven-archetype strikes me as too important to drop Java 7
compatibility this soon.


On Fri, May 31, 2019 at 3:02 PM Homer, Tony <tony.homer@intel.com> wrote:
>
> Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to CVE-2018-1000632
[1].
> I filed ARCHETYPE-567 [2] to track this.
> In order to mitigate this vulnerability, an update to dom4j 2.1.1 is needed.
> dom4j 2.1.x requires Java 8+ [3].
> dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the latest release (2.0.2)
is vulnerable to CVE-2018-1000632.
> The current dev version (2.0.3) seems to contain a fix for CVE-2018-1000632 but has been
pending release for ~1 year.
>
> I opened PR #28 [4] to make these changes.
> What else I should do to advance this proposal?
>
> Thanks!
> Tony Homer
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
> [2] https://issues.apache.org/jira/browse/ARCHETYPE-567
> [3] https://dom4j.github.io
> [4] https://github.com/apache/maven-archetype/pull/28
>


-- 
Elliotte Rusty Harold
elharo@ibiblio.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org


Mime
View raw message