You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by "Yev Bronshteyn (JIRA)" <ji...@apache.org> on 2017/06/20 18:26:00 UTC
[jira] [Created] (JENA-1364) Jena-core has dependency on vulnerable
Xerces version
Yev Bronshteyn created JENA-1364:
------------------------------------
Summary: Jena-core has dependency on vulnerable Xerces version
Key: JENA-1364
URL: https://issues.apache.org/jira/browse/JENA-1364
Project: Apache Jena
Issue Type: Bug
Components: Core
Affects Versions: Jena 3.3.0
Reporter: Yev Bronshteyn
jena-core pulls in Xerces 2.11.0, which has a known vulnerability CVE-2013-4002 (exploitable, resulting in DOS).
{code}
[INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
[INFO] | +- org.apache.jena:jena-tdb:jar:3.3.0:compile
[INFO] | | \- org.apache.jena:jena-arq:jar:3.3.0:compile
[INFO] | | +- org.apache.jena:jena-core:jar:3.3.0:compile
[INFO] | | | +- xerces:xercesImpl:jar:2.11.0:compile
{code}
A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of the Red Hat repositories.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)