You are viewing a plain text version of this content. The canonical link for it is here.
Posted to pr@jena.apache.org by GitBox <gi...@apache.org> on 2020/02/28 15:27:37 UTC
[GitHub] [jena] afs commented on issue #700: Upgrades
afs commented on issue #700: Upgrades
URL: https://github.com/apache/jena/pull/700#issuecomment-592562847
shiro: This includes shiro 1.5.0 for Fuseki Full. Pre Shiro 1.4.2 has a CVE against it CVE-2019-12422.
But the build o is made messy:
- The jars are packed wrongly and shading jena-fuseki-fulljar generates a large block of warnings about overlapping classes. Looks to me like the same bytecode, copied into the shiro-core jar. (They modify the published shiro-core for some OSGi reason).
- The fuseki-webapp tests generate warnings about configuration. Shiro uses reflection to do some initialization and with duplicate code in jars, initialization is called twice on `IniRealm`.
The warnings look safe as far as I can tell.
So the choice is messy build or explore excluding dependencies of shiro-core. In theory, this is due to be fixed but it has been around for a few versions now.
This PR leaves it as "messy build".
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org