You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by "Andy Seaborne (JIRA)" <ji...@apache.org> on 2017/06/21 16:59:00 UTC
[jira] [Commented] (JENA-1364) Jena-core has dependency on
vulnerable Xerces version
[ https://issues.apache.org/jira/browse/JENA-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16057846#comment-16057846 ]
Andy Seaborne commented on JENA-1364:
-------------------------------------
[~ybronsht] Thank you for bringing this to the attention of the project. We will respond after internal discussion.
> Jena-core has dependency on vulnerable Xerces version
> -----------------------------------------------------
>
> Key: JENA-1364
> URL: https://issues.apache.org/jira/browse/JENA-1364
> Project: Apache Jena
> Issue Type: Bug
> Components: Core
> Affects Versions: Jena 3.3.0
> Reporter: Yev Bronshteyn
>
> jena-core pulls in Xerces 2.11.0, which has a known vulnerability CVE-2013-4002 (exploitable, resulting in DOS).
> {code}
> [INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
> [INFO] | +- org.apache.jena:jena-tdb:jar:3.3.0:compile
> [INFO] | | \- org.apache.jena:jena-arq:jar:3.3.0:compile
> [INFO] | | +- org.apache.jena:jena-core:jar:3.3.0:compile
> [INFO] | | | +- xerces:xercesImpl:jar:2.11.0:compile
> {code}
> A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of the Red Hat repositories.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)