You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by Jose Insua Fernandez <in...@adobe.com> on 2014/04/02 17:22:53 UTC

Vulnerable artifact referenced in a few sling's pom.xml files.

Hello everyone,

I've been checking the usage of the commons-fileupload component because versions previous to 1.3.1 have a security issue (CVE-2014-0050)

I see it referenced in the following pom.xml files:

/sling/tooling/support/install/pom.xml has version number 1.2.2
/sling/contrib/scripting/script-console/pom.xml has version number 1.1.1
/sling/contrib/extensions/obr/pom.xml has version number 1.1.1
/sling/bundles/commons/log/pom.xml has version number 1.2.1
/sling/bundles/engine/pom.xml has version number 1.3


The usage doesn't seem dangerous, but it would be nice to upgrade the versions to 1.3.1 to be sure.

Best regards.
Jose Antonio Insua

Re: Vulnerable artifact referenced in a few sling's pom.xml files.

Posted by Chetan Mehrotra <ch...@gmail.com>.

Thanks Jose for doing a review.

In most cases the commons-upload is used for integration testing (at
least for script-console and log). And in other cases the dependency
is set to provided scope. So the older version is not used at runtime
and hence should not be an issue

The important place to look for is
launchpad/builder/src/main/bundles/list.xml [1]. As bundles mentioned
there get packaged in final Sling distribution and hence actually get
used at runtime. And there the version is 1.3.1 which has the required
security fix

Chetan Mehrotra
[1] https://github.com/apache/sling/blob/trunk/launchpad/builder/src/main/bundles/list.xml

On Wed, Apr 2, 2014 at 8:52 PM, Jose Insua Fernandez <in...@adobe.com> wrote:
> Hello everyone,
>
> I've been checking the usage of the commons-fileupload component because versions previous to 1.3.1 have a security issue (CVE-2014-0050)
>
> I see it referenced in the following pom.xml files:
>
> /sling/tooling/support/install/pom.xml has version number 1.2.2
> /sling/contrib/scripting/script-console/pom.xml has version number 1.1.1
> /sling/contrib/extensions/obr/pom.xml has version number 1.1.1
> /sling/bundles/commons/log/pom.xml has version number 1.2.1
> /sling/bundles/engine/pom.xml has version number 1.3
>
>
> The usage doesn't seem dangerous, but it would be nice to upgrade the versions to 1.3.1 to be sure.
>
> Best regards.
> Jose Antonio Insua