[
https://issues.apache.org/jira/browse/JENA-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16463593#comment-16463593
]
Andy Seaborne edited comment on JENA-1364 at 5/4/18 9:10 AM:
-------------------------------------------------------------
Apache Xerces is no longer a dependency requirement for Apache Jena. JENA-1537
extracts the Xerces validation code for Jena's use and removes the dependency
on Xerces as the XML parser.
Any XML parser can be used with Jena (defaulting to the JDK-provided one)
through the usual mechanism for adding to the application.
was (Author: andy.seaborne):
Apaxche Xerces is no longer a dependency requirement for Apache Jena. JENA-1537
extracts the Xerces validation code for Jena's use and removes the dependency
on Xerces as the XML parser.
Any XML parser can be used with Jena (defaulting to the JDK-provided one)
through the usual mechanism for adding to the application.
> Jena-core has dependency on vulnerable Xerces version
> -----------------------------------------------------
>
> Key: JENA-1364
> URL: https://issues.apache.org/jira/browse/JENA-1364
> Project: Apache Jena
> Issue Type: Bug
> Components: Core
> Affects Versions: Jena 3.3.0
> Reporter: Yev Bronshteyn
> Assignee: Andy Seaborne
> Priority: Major
> Fix For: Jena 3.8.0
>
>
> jena-core pulls in Xerces 2.11.0, which has a known vulnerability
> CVE-2013-4002 (exploitable, resulting in DOS).
> {code}
> [INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
> [INFO] | +- org.apache.jena:jena-tdb:jar:3.3.0:compile
> [INFO] | | \- org.apache.jena:jena-arq:jar:3.3.0:compile
> [INFO] | | +- org.apache.jena:jena-core:jar:3.3.0:compile
> [INFO] | | | +- xerces:xercesImpl:jar:2.11.0:compile
> {code}
> A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of
> the Red Hat repositories.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
