[
https://issues.apache.org/jira/browse/JENA-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16057858#comment-16057858
]
Rob Vesse commented on JENA-1364:
---------------------------------
Linking the relevant Xerces JIRA
> Jena-core has dependency on vulnerable Xerces version
> -----------------------------------------------------
>
> Key: JENA-1364
> URL: https://issues.apache.org/jira/browse/JENA-1364
> Project: Apache Jena
> Issue Type: Bug
> Components: Core
> Affects Versions: Jena 3.3.0
> Reporter: Yev Bronshteyn
>
> jena-core pulls in Xerces 2.11.0, which has a known vulnerability
> CVE-2013-4002 (exploitable, resulting in DOS).
> {code}
> [INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
> [INFO] | +- org.apache.jena:jena-tdb:jar:3.3.0:compile
> [INFO] | | \- org.apache.jena:jena-arq:jar:3.3.0:compile
> [INFO] | | +- org.apache.jena:jena-core:jar:3.3.0:compile
> [INFO] | | | +- xerces:xercesImpl:jar:2.11.0:compile
> {code}
> A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of
> the Red Hat repositories.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
