You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@freemarker.apache.org by "Karim Mreisi (Jira)" <ji...@apache.org> on 2021/10/01 06:46:00 UTC

[jira] [Commented] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it

    [ https://issues.apache.org/jira/browse/FREEMARKER-190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17423125#comment-17423125 ] 

Karim Mreisi commented on FREEMARKER-190:
-----------------------------------------

Hi [~ddekany] ,

We are building an Eclipse RCP application which pulls in cdt makefile support which pulls in org.eclipse.tools.templates.freemarker, which pulls in org.freemarker again....
 # The version of org.freemarker deployed from Eclipse is quite outdated (org.freemarker_2.3.22)
It would be nice if  someone checks with Eclipse to get this maintained / updated frequently :)
 # The latest version which can be pulled in from maven central (org.freemarker_2.3.31) is still marked to be vulnerable to CVE-2020-10683
According to your comment there is actually no dom4j in the resulting artifact? => Today it is a false hit?
 # Yes, if you could update the reference to not get marked again it would be great if you can update it to a cve free version: [https://www.cvedetails.com/vulnerability-list/vendor_id-19281/product_id-50171/version_id-263415/Dom4j-Project-Dom4j-1.6.1.html]

 

Thanks a lot :)

 

> The  jar dom4j has known security issue that Freemarker compiles dependend on it
> --------------------------------------------------------------------------------
>
>                 Key: FREEMARKER-190
>                 URL: https://issues.apache.org/jira/browse/FREEMARKER-190
>             Project: Apache Freemarker
>          Issue Type: Wish
>          Components: engine
>    Affects Versions: 2.3.31
>            Reporter: PowerCOM_STARWAR
>            Priority: Major
>
> Hi, friend. When i compile the Freemarker, i find it depends on the jar dom4j ,and its version is 1.3. From the Internet, this version 1.3 of dom4j has security issues, so please upgrade to the safety version.Thanks.
> The security issue number CVE-2020-10683 and link: [https://nvd.nist.gov/vuln/detail/CVE-2020-10683]
> The Security issue number CVE-2018-1000632 and link: [https://nvd.nist.gov/vuln/detail/CVE-2018-1000632.]
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)