You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@maven.apache.org by "Kotamarti, Usha" <us...@bofa.com.INVALID> on 2020/02/18 20:44:15 UTC

Velocity and Struts dependencies causing vulnerabilities

Hello,

We have an issue with version of the Velocity and Struts taglib, tiles and core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are using.
Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities.

These 2 plugins need to be upgraded to use velocity-tools version 3.0 and Struts 2.3.x or 2.5.x.   Do you have a plan to do that ?  If not, would you please
let us know if there is a workaround to explicitly specify which versions of Velocity and Struts we would like pmd-plugiun and checkstyle-plugin to use?

Thank you!
Usha Kotamarti



----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.

Re: Velocity and Struts dependencies causing vulnerabilities

Posted by Martin Gainty <mg...@hotmail.com>.

usha could you repost this issue to user@struts.apache.org?

if struts-taglib has a security vulnerability Lukasz and the Struts Team should be able to fix it

Bon Chance
martin-

________________________________
From: Hervé BOUTEMY <he...@free.fr>
Sent: Tuesday, February 18, 2020 4:45 PM
To: Maven Users List <us...@maven.apache.org>
Subject: Re: Velocity and Struts dependencies causing vulnerabilities

Hi,

We have a plan: instead of upgrading, we'll remove the dependencies, see
https://issues.apache.org/jira/browse/DOXIASITETOOLS-215

Doxia Sitetools 1.9.2 release is planned in a few days, then we'll need to
release every reporting plugin after.

Notice that these components are vulnerable, but they are used in Maven
plugins, not in a web application, then the vulnerability is not really
accessible: there is no real issue other than unused dependencies pulled by
reporting plugins.

Regards,

Hervé

Le mardi 18 février 2020, 21:44:15 CET Kotamarti, Usha a écrit :
> Hello,
>
> We have an issue with version of the Velocity and Struts taglib, tiles and
> core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are
> using. Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities.
>
> These 2 plugins need to be upgraded to use velocity-tools version 3.0 and
> Struts 2.3.x or 2.5.x.   Do you have a plan to do that ?  If not, would you
> please let us know if there is a workaround to explicitly specify which
> versions of Velocity and Struts we would like pmd-plugiun and
> checkstyle-plugin to use?
>
> Thank you!
> Usha Kotamarti
>
>
>
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended
> recipient, please delete this message.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Velocity and Struts dependencies causing vulnerabilities

Posted by Hervé BOUTEMY <he...@free.fr>.

Hi,

We have a plan: instead of upgrading, we'll remove the dependencies, see 
https://issues.apache.org/jira/browse/DOXIASITETOOLS-215

Doxia Sitetools 1.9.2 release is planned in a few days, then we'll need to 
release every reporting plugin after.

Notice that these components are vulnerable, but they are used in Maven 
plugins, not in a web application, then the vulnerability is not really 
accessible: there is no real issue other than unused dependencies pulled by 
reporting plugins.

Regards,

Hervé

Le mardi 18 février 2020, 21:44:15 CET Kotamarti, Usha a écrit :
> Hello,
> 
> We have an issue with version of the Velocity and Struts taglib, tiles and
> core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are
> using. Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities.
> 
> These 2 plugins need to be upgraded to use velocity-tools version 3.0 and
> Struts 2.3.x or 2.5.x.   Do you have a plan to do that ?  If not, would you
> please let us know if there is a workaround to explicitly specify which
> versions of Velocity and Struts we would like pmd-plugiun and
> checkstyle-plugin to use?
> 
> Thank you!
> Usha Kotamarti
> 
> 
> 
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended
> recipient, please delete this message.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org