You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by David Karlsen <da...@gmail.com> on 2020/10/30 11:34:48 UTC

CVE-2019-12419

https://nvd.nist.gov/vuln/detail/CVE-2019-12419 marks all the cxf artifacts
(cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*) as vulnerable - hence:
* cxf-xjc-runtime-3.3.1.jar
* cxf-xjc-ts-3.1.0.jar

gets marked as vulnerable - even though these are the latest version and
unrelated to the issue - is there any way to get this fixed in the CVE? Are
you planning on newer versions?
If these were released with the same version as CXF the problem could be
avoided (we always run with the latest patch-level).

Any thoughts?

-- 
--
David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen

Re: CVE-2019-12419

Posted by Dennis Kieselhorst <de...@apache.org>.

Hi Colm,

in my case the issue was different (incorrect version range). Therefore I have no example that excludes XJC.

Best,
Dennis

Re: CVE-2019-12419

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi Dennis,

I checked a few of the more recent CVEs and they don't have that exclusion
pattern. Do you have a link to a CVE with the XJC exclusion? For now at
least we could mail NIST and ask them to update the pattern for any CVEs
that don't have the exclusion pattern.

Colm.

On Mon, Nov 2, 2020 at 7:56 PM Dennis Kieselhorst <ma...@dekies.de> wrote:

> > https://nvd.nist.gov/vuln/detail/CVE-2019-12419 marks all the cxf
> artifacts
> > (cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*) as vulnerable - hence:
> > * cxf-xjc-runtime-3.3.1.jar
> > * cxf-xjc-ts-3.1.0.jar
> >
> > gets marked as vulnerable - even though these are the latest version and
> > unrelated to the issue - is there any way to get this fixed in the CVE?
> Are
> > you planning on newer versions?
> > If these were released with the same version as CXF the problem could be
> > avoided (we always run with the latest patch-level).
> >
> > Any thoughts?
> >
> Hmm in the past I emailed nvd@nist.gov and they fixed the pattern. Do
> you have a working proposal already?
>
> Best
>
> Dennis
>
>

Re: CVE-2019-12419

Posted by Dennis Kieselhorst <ma...@dekies.de>.

> https://nvd.nist.gov/vuln/detail/CVE-2019-12419 marks all the cxf artifacts
> (cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*) as vulnerable - hence:
> * cxf-xjc-runtime-3.3.1.jar
> * cxf-xjc-ts-3.1.0.jar
>
> gets marked as vulnerable - even though these are the latest version and
> unrelated to the issue - is there any way to get this fixed in the CVE? Are
> you planning on newer versions?
> If these were released with the same version as CXF the problem could be
> avoided (we always run with the latest patch-level).
>
> Any thoughts?
>
Hmm in the past I emailed nvd@nist.gov and they fixed the pattern. Do 
you have a working proposal already?

Best

Dennis