You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2021/08/30 11:29:00 UTC

[jira] [Commented] (WAGON-612) Update jsoup to >= 1.14.2 for fix security issue

    [ https://issues.apache.org/jira/browse/WAGON-612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17406685#comment-17406685 ] 

Michael Osipov commented on WAGON-612:
--------------------------------------

This issue can only happen if the HttpWagon is used to list files which uses JSoup to parse the Apache HTTPd listing.
[~hboutemy], yes another reason to drop JSoup.

> Update jsoup to >= 1.14.2 for fix security issue
> ------------------------------------------------
>
>                 Key: WAGON-612
>                 URL: https://issues.apache.org/jira/browse/WAGON-612
>             Project: Maven Wagon
>          Issue Type: Dependency upgrade
>          Components: wagon-http
>    Affects Versions: 3.4.3
>            Reporter: Nikolay Krasko
>            Priority: Minor
>
> There's a vulnerability report for the jsoup <= 1.14.2 [https://www.cvedetails.com/cve/CVE-2021-37714|https://www.cvedetails.com/cve/CVE-2021-37714/]
> jsoup:1.12.1 is used by wagon-http-shared:3.4.3, that triggers security bots alerts. 
> Please could you update the dependency and release a new version?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)