[jira] [Commented] (JENA-1364) Jena-core has dependency on vulnerable Xerces version

Andy Seaborne (JIRA) Wed, 21 Jun 2017 09:59:29 -0700

    [ 
https://issues.apache.org/jira/browse/JENA-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16057846#comment-16057846
 ]


Andy Seaborne commented on JENA-1364:
-------------------------------------

[~ybronsht] Thank you for bringing this to the attention of the project. We 
will respond after internal discussion.

> Jena-core has dependency on vulnerable Xerces version
> -----------------------------------------------------
>
>                 Key: JENA-1364
>                 URL: https://issues.apache.org/jira/browse/JENA-1364
>             Project: Apache Jena
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: Jena 3.3.0
>            Reporter: Yev Bronshteyn
>
> jena-core pulls in Xerces 2.11.0, which has a known vulnerability 
> CVE-2013-4002 (exploitable, resulting in DOS).
> {code}
> [INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
> [INFO] |  +- org.apache.jena:jena-tdb:jar:3.3.0:compile
> [INFO] |  |  \- org.apache.jena:jena-arq:jar:3.3.0:compile
> [INFO] |  |     +- org.apache.jena:jena-core:jar:3.3.0:compile
> [INFO] |  |     |  +- xerces:xercesImpl:jar:2.11.0:compile
> {code}
> A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of 
> the Red Hat repositories.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (JENA-1364) Jena-core has dependency on vulnerable Xerces version

Reply via email to