[jira] [Updated] (WHISKER-20) Integrate update of Jdom in order to fix CVE

Philipp Ottlinger (Jira) Thu, 23 Dec 2021 14:29:04 -0800


     [ 
https://issues.apache.org/jira/browse/WHISKER-20?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Philipp Ottlinger updated WHISKER-20:
-------------------------------------
    Description: 
A simple upgrade of the jdom dependency does not work:
https://github.com/apache/creadur-whisker/pull/6

As Jdom is marked as a security problem of Whisker try updating and upgrading:

{{
CVE-2021-33813
high severity
Vulnerable versions: <= 2.0.6
Patched version: No fix

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a 
denial of service via a crafted HTTP request. At this time there is not 
released fixed version of JDOM. As a workaround, to avoid external entities 
being expanded, one can call builder.setExpandEntities(false) and they won't be 
expanded.
}}

currently available version is:
<version>2.0.6.1</version>
https://github.com/hunterhacker/jdom

  was:
A simple upgrade of the jdom dependency does not work:
https://github.com/apache/creadur-whisker/pull/6

As Jdom is marked as a security problem of Whisker try updating and upgrading:

{{
CVE-2021-33813
high severity
Vulnerable versions: <= 2.0.6
Patched version: No fix

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a 
denial of service via a crafted HTTP request. At this time there is not 
released fixed version of JDOM. As a workaround, to avoid external entities 
being expanded, one can call builder.setExpandEntities(false) and they won't be 
expanded.
}}



> Integrate update of Jdom in order to fix CVE
> --------------------------------------------
>
>                 Key: WHISKER-20
>                 URL: https://issues.apache.org/jira/browse/WHISKER-20
>             Project: Apache Whisker
>          Issue Type: Improvement
>            Reporter: Philipp Ottlinger
>            Priority: Major
>
> A simple upgrade of the jdom dependency does not work:
> https://github.com/apache/creadur-whisker/pull/6
> As Jdom is marked as a security problem of Whisker try updating and upgrading:
> {{
> CVE-2021-33813
> high severity
> Vulnerable versions: <= 2.0.6
> Patched version: No fix
> An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a 
> denial of service via a crafted HTTP request. At this time there is not 
> released fixed version of JDOM. As a workaround, to avoid external entities 
> being expanded, one can call builder.setExpandEntities(false) and they won't 
> be expanded.
> }}
> currently available version is:
> <version>2.0.6.1</version>
> https://github.com/hunterhacker/jdom



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (WHISKER-20) Integrate update of Jdom in order to fix CVE

Reply via email to