[
https://issues.apache.org/jira/browse/GERONIMO-6814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17388651#comment-17388651
]
Karthick commented on GERONIMO-6814:
------------------------------------
I can see that these geronimo jms and jta specs expose javax transaction and
javax jms APIs. So, do you mean that this CVEs on hash collision doesn't affect
these Java APIs?
> Improve Geronimo specs to mitigate CVE-2011-5034
> ------------------------------------------------
>
> Key: GERONIMO-6814
> URL: https://issues.apache.org/jira/browse/GERONIMO-6814
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: geronimo-maven-plugin
> Affects Versions: 1.1.1
> Reporter: Karthick
> Priority: Major
>
> Hi,
>
> By default Apache Karaf 4.3.2 ([Maven Repository: org.apache.karaf »
> apache-karaf » 4.3.2
> (mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.karaf/apache-karaf/4.3.2]
> packs jms_geronimo_1.1_spec 1.1.1 version which when scanned through
> security tools like Jfrog XRay and Anchore reports CVE-2011-5034 ([NVD -
> CVE-2011-5034 (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2011-5034] )
> However, there seems to be no later version of geronimo where this CVE is
> fixed.It has been 10 years since this CVE is created and no fix seen yet. Do
> you have analysis on whether this CVE really affects geronimo specs or any
> plan to provide next version?
> There
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
