[
https://issues.apache.org/jira/browse/JENA-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16064959#comment-16064959
]
Andy Seaborne commented on JENA-1364:
-------------------------------------
As a workaround, here are two ways to switch to using a different version of
Xerces with released version of Apache Jena. One way is to re-compile from
source, the other is to exclude the affected Apache Xerces dependency and
replace it with another one.
Apache Jena is open source and the source code forms the primary release by the
project.
Application writers that wish to address this CVE can download the Jena source
for a specific release and rebuild Apache Jena for their local systems by
including the Redhat General Release repository and changing the maven property
that gives the version of Xerces (see jena-parent/pom.xml).
https://apache.org/dist/jena/
or for previous the archives:
https://archive.apache.org/dist/jena/
An application writer can exclude the version of Xerces specified in the POM
files of released Jena maven binary artifacts by using the maven exclusion
mechanism for dependencies and replacing Xerces 2.11.0 with another version. It
is likely that the application developer will need to include the Redhat
General Release repository.
Jena makes use of internal Xerces functions for datatype processing, but not
internal features for RDF/XML parsing. Modified Xerces 2.11.0 that only
addresses the CVE should work with Jena - the application writer is urged to
test compatibility.
{noformat}
<dependency>
<groupId>org.apache.jena</groupId>
<artifactId>apache-jena-libs</artifactId>
<!-- *** Set Jena version here *** -->
<version>3.3.0</version>
<type>pom</type>
<exclusions>
<exclusion>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<!-- *** Inspect the Redhat repo for exact version number ***
*** version 2.11.0.SP5-redhat-1
*** is known to exist at the time of writing
-->
<version>????</version>
</dependency>
{noformat}
-- Apache Jena PMC
> Jena-core has dependency on vulnerable Xerces version
> -----------------------------------------------------
>
> Key: JENA-1364
> URL: https://issues.apache.org/jira/browse/JENA-1364
> Project: Apache Jena
> Issue Type: Bug
> Components: Core
> Affects Versions: Jena 3.3.0
> Reporter: Yev Bronshteyn
>
> jena-core pulls in Xerces 2.11.0, which has a known vulnerability
> CVE-2013-4002 (exploitable, resulting in DOS).
> {code}
> [INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
> [INFO] | +- org.apache.jena:jena-tdb:jar:3.3.0:compile
> [INFO] | | \- org.apache.jena:jena-arq:jar:3.3.0:compile
> [INFO] | | +- org.apache.jena:jena-core:jar:3.3.0:compile
> [INFO] | | | +- xerces:xercesImpl:jar:2.11.0:compile
> {code}
> A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of
> the Red Hat repositories.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
