You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Michael Osipov (JIRA)" <ji...@apache.org> on 2018/11/19 12:23:00 UTC

[jira] [Commented] (MJAVADOC-545) Struts 1.3.8

    [ https://issues.apache.org/jira/browse/MJAVADOC-545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16691637#comment-16691637 ] 

Michael Osipov commented on MJAVADOC-545:
-----------------------------------------

That's a tricky one, it is a deep trans dep. The enitre Doxia change needs to switch to Velocity Engine 2.0 and Velocity Tools 3.0. If some newer version is binary compatible you can easily change his in your parent POM. Is that an option for you?

> Struts 1.3.8
> ------------
>
>                 Key: MJAVADOC-545
>                 URL: https://issues.apache.org/jira/browse/MJAVADOC-545
>             Project: Maven Javadoc Plugin
>          Issue Type: Dependency upgrade
>          Components: javadoc
>    Affects Versions: 3.0.1
>            Reporter: Chris Scott
>            Priority: Major
>
> Our security audits have reported that this plugin has a dependency on Struts 1.3.8 which has several critical security flaws. Although this is a build-time only plugin, this still represents a security issue. That version of Struts is also EOL which is far from ideal. Is there any way to update?
> [https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/version_id-164423/Apache-Struts-1.3.8.html]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)