You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by "Andy Seaborne (JIRA)" <ji...@apache.org> on 2017/06/21 16:59:00 UTC

[jira] [Commented] (JENA-1364) Jena-core has dependency on vulnerable Xerces version

    [ https://issues.apache.org/jira/browse/JENA-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16057846#comment-16057846 ] 

Andy Seaborne commented on JENA-1364:
-------------------------------------

[~ybronsht] Thank you for bringing this to the attention of the project. We will respond after internal discussion.

> Jena-core has dependency on vulnerable Xerces version
> -----------------------------------------------------
>
>                 Key: JENA-1364
>                 URL: https://issues.apache.org/jira/browse/JENA-1364
>             Project: Apache Jena
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: Jena 3.3.0
>            Reporter: Yev Bronshteyn
>
> jena-core pulls in Xerces 2.11.0, which has a known vulnerability CVE-2013-4002 (exploitable, resulting in DOS).
> {code}
> [INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
> [INFO] |  +- org.apache.jena:jena-tdb:jar:3.3.0:compile
> [INFO] |  |  \- org.apache.jena:jena-arq:jar:3.3.0:compile
> [INFO] |  |     +- org.apache.jena:jena-core:jar:3.3.0:compile
> [INFO] |  |     |  +- xerces:xercesImpl:jar:2.11.0:compile
> {code}
> A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of the Red Hat repositories.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)