[
https://issues.apache.org/jira/browse/GERONIMO-6814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17387903#comment-17387903
]
Karthick commented on GERONIMO-6814:
------------------------------------
Hi,
I am unable to find what the 'spec' means. Not in maven [Maven Repository:
org.apache.geronimo.specs » geronimo-jms_1.1_spec » 1.1.1
(mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.geronimo.specs/geronimo-jms_1.1_spec/1.1.1]
and not in github [apache/geronimo-specs: Mirror of Apache Geronimo specs
(github.com)|https://github.com/apache/geronimo-specs].
If you could provide a differentiating factor between what artifacts you mean
as runtime/server and what is the definition of 'specs'.
> Improve Geronimo specs to mitigate CVE-2011-5034
> ------------------------------------------------
>
> Key: GERONIMO-6814
> URL: https://issues.apache.org/jira/browse/GERONIMO-6814
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: geronimo-maven-plugin
> Affects Versions: 1.1.1
> Reporter: Karthick
> Priority: Major
>
> Hi,
>
> By default Apache Karaf 4.3.2 ([Maven Repository: org.apache.karaf »
> apache-karaf » 4.3.2
> (mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.karaf/apache-karaf/4.3.2]
> packs jms_geronimo_1.1_spec 1.1.1 version which when scanned through
> security tools like Jfrog XRay and Anchore reports CVE-2011-5034 ([NVD -
> CVE-2011-5034 (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2011-5034] )
> However, there seems to be no later version of geronimo where this CVE is
> fixed.It has been 10 years since this CVE is created and no fix seen yet. Do
> you have analysis on whether this CVE really affects geronimo specs or any
> plan to provide next version?
> There
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
