From dev-return-128343-archive-asf-public=cust-asf.ponee.io@maven.apache.org Mon Jun 3 14:24:06 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id A74DE18062F for ; Mon, 3 Jun 2019 16:24:06 +0200 (CEST) Received: (qmail 70805 invoked by uid 500); 3 Jun 2019 14:24:05 -0000 Mailing-List: contact dev-help@maven.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Maven Developers List" Reply-To: "Maven Developers List" Delivered-To: mailing list dev@maven.apache.org Received: (qmail 70782 invoked by uid 99); 3 Jun 2019 14:24:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Jun 2019 14:24:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id ABD11181070 for ; Mon, 3 Jun 2019 14:24:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.496 X-Spam-Level: * X-Spam-Status: No, score=1.496 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.305, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id CLjZ0R_wmrgP for ; Mon, 3 Jun 2019 14:24:03 +0000 (UTC) Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id B1C3A5F5FA for ; Mon, 3 Jun 2019 14:24:02 +0000 (UTC) Received: by mail-lf1-f41.google.com with SMTP id b11so13772673lfa.5 for ; Mon, 03 Jun 2019 07:24:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=1EwD2pujJdXDBW2ML9AtcXlNG7fhG6LLSCSRBwrfD94=; b=YX2eXJ3Z/zY878qNCPIxl/LbbgLaa3feC/QEGckcf9A9NF/3bW+3VvWmlqSdwnw1NB q9SuC0klF4vO1xQW2hxI/AMe+DFFAjTcgLBu9BRBfGdxYZZUn8TMC+/Frlf3bnXl2eGE aTeZo6UmKrnhgc7ysc158SbbJ47A9Ibyxk6JgwNKNlCQT01n/u70zImcaTJGj7tSNF3j Hh8SDFIisah/1+zKqt+dOHMuNhhGQvc6gBAsmK0OXLmj22NYkMhDOKKcPskm2j38zCG2 ffyS8Mgd17lCX4ioiFFZz1eDIpclq+Bk8+BzXSWw09pIfgfIQX/VTeYhkFt7cFh21FAV HLRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=1EwD2pujJdXDBW2ML9AtcXlNG7fhG6LLSCSRBwrfD94=; b=EkUbXzJeMLe4kGKXicJB0jGS3pQobndnqaPKKnenjiiWSFrhJFGLiFDQEHQLyU1+Q/ Mh2xEJrmSizxA92yCfPU88mj4S9/xGU74HiZuaX548g7UfR6vjrVMnEil14/aqBWdOky +TDs23SD+yXDtBZgiftLDesMc2B8o8ovvvo6jEboVKzlcydhQ9fzSNxKtzeHLl9Whum1 uzdEHDU6aw1ZYzi+piDqKRiWfnP5jhNmvAQGeG4OyO1XqtWD0RymC2gkLGD1b0TKPd9e 01ZVmlyEvp5406qwQVjwP+bBr80eQ7M58H02kLvODIYdtS8m6di/NNDLUzCT7FOQUMNQ jUjw== X-Gm-Message-State: APjAAAWDJcPm8ebOKE8UMnnz2ELvDSSzIcflfhrQ2RlP7LchjoMNwVeB 5wWKa+H1f4WmdV8bLWzBn/r3Ts71P+69c152S8Vxbksh X-Google-Smtp-Source: APXvYqyRxAPB/eDSMhIlLhvUt3H/GGOCc41NMVivfmEtwxRFIo1NAIA2Hzw7PEa4uDye+cxaS6rjN7m5rbCUAIkzKYs= X-Received: by 2002:a19:6b04:: with SMTP id d4mr13492706lfa.57.1559571834540; Mon, 03 Jun 2019 07:23:54 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Enrico Olivelli Date: Mon, 3 Jun 2019 16:23:42 +0200 Message-ID: Subject: Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) To: Maven Developers List Content-Type: multipart/alternative; boundary="000000000000331607058a6c1db3" --000000000000331607058a6c1db3 Content-Type: text/plain; charset="UTF-8" Elliotte, Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < elharo@ibiblio.org> ha scritto: > Perhaps ask the dom4j developers first to see if a 2.0.3 release can > be scheduled. > > And if that doesn't work, how much effort is it to switch off of dom4j > completely? > > maven-archetype strikes me as too important to drop Java 7 > compatibility this soon. > Are you -1 with this change ? If an user wan't to use java 7 he can use current version of the plugin. Enrico > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony wrote: > > > > Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to > CVE-2018-1000632 [1]. > > I filed ARCHETYPE-567 [2] to track this. > > In order to mitigate this vulnerability, an update to dom4j 2.1.1 is > needed. > > dom4j 2.1.x requires Java 8+ [3]. > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > The current dev version (2.0.3) seems to contain a fix for > CVE-2018-1000632 but has been pending release for ~1 year. > > > > I opened PR #28 [4] to make these changes. > > What else I should do to advance this proposal? > > > > Thanks! > > Tony Homer > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > [3] https://dom4j.github.io > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > -- > Elliotte Rusty Harold > elharo@ibiblio.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org > For additional commands, e-mail: dev-help@maven.apache.org > > --000000000000331607058a6c1db3--