[
https://issues.apache.org/jira/browse/WHISKER-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17466431#comment-17466431
]
ASF subversion and git services commented on WHISKER-20:
--------------------------------------------------------
Commit 857380840c1f2ff3ef586c81cbbd4d8c609b0c8e in creadur-whisker's branch
refs/heads/master from P. Ottlinger
[ https://gitbox.apache.org/repos/asf?p=creadur-whisker.git;h=8573808 ]
Merge pull request #6 from apache/dependabot/maven/org.jdom-jdom-2.0.2
WHISKER-20: Bump jdom from 1.1.3 to 2.0.2
> Integrate update of Jdom in order to fix CVE
> --------------------------------------------
>
> Key: WHISKER-20
> URL: https://issues.apache.org/jira/browse/WHISKER-20
> Project: Apache Whisker
> Issue Type: Improvement
> Reporter: Philipp Ottlinger
> Assignee: Philipp Ottlinger
> Priority: Major
>
> A simple upgrade of the jdom dependency does not work:
> https://github.com/apache/creadur-whisker/pull/6
> As Jdom is marked as a security problem of Whisker try updating and upgrading:
> {{
> CVE-2021-33813
> high severity
> Vulnerable versions: <= 2.0.6
> Patched version: No fix
> An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a
> denial of service via a crafted HTTP request. At this time there is not
> released fixed version of JDOM. As a workaround, to avoid external entities
> being expanded, one can call builder.setExpandEntities(false) and they won't
> be expanded.
> }}
> currently available version is:
> <version>2.0.6.1</version>
> https://github.com/hunterhacker/jdom
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
