We are working hard to get this done. I will commit as soon as CI is green (blue...)
Enrico Il sab 1 giu 2019, 10:02 Enrico Olivelli <eolive...@gmail.com> ha scritto: > If there is any complaint I will commit the change. > We are already moving to java8 other plugins that are not part of the core > lifecycle (Maven 3 supports java7) > > > Enrico > > Il ven 31 mag 2019, 21:43 Enrico Olivelli <eolive...@gmail.com> ha > scritto: > >> +1 >> Enrico >> >> Il ven 31 mag 2019, 21:02 Homer, Tony <tony.ho...@intel.com> ha scritto: >> >>> Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to >>> CVE-2018-1000632 [1]. >>> I filed ARCHETYPE-567 [2] to track this. >>> In order to mitigate this vulnerability, an update to dom4j 2.1.1 is >>> needed. >>> dom4j 2.1.x requires Java 8+ [3]. >>> dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the >>> latest release (2.0.2) is vulnerable to CVE-2018-1000632. >>> The current dev version (2.0.3) seems to contain a fix for >>> CVE-2018-1000632 but has been pending release for ~1 year. >>> >>> I opened PR #28 [4] to make these changes. >>> What else I should do to advance this proposal? >>> >>> Thanks! >>> Tony Homer >>> >>> [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 >>> [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 >>> [3] https://dom4j.github.io >>> [4] https://github.com/apache/maven-archetype/pull/28 >>> >>>
