Elliotte, Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < elh...@ibiblio.org> ha scritto:
> Perhaps ask the dom4j developers first to see if a 2.0.3 release can > be scheduled. > > And if that doesn't work, how much effort is it to switch off of dom4j > completely? > > maven-archetype strikes me as too important to drop Java 7 > compatibility this soon. > Are you -1 with this change ? If an user wan't to use java 7 he can use current version of the plugin. Enrico > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony <tony.ho...@intel.com> wrote: > > > > Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to > CVE-2018-1000632 [1]. > > I filed ARCHETYPE-567 [2] to track this. > > In order to mitigate this vulnerability, an update to dom4j 2.1.1 is > needed. > > dom4j 2.1.x requires Java 8+ [3]. > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > The current dev version (2.0.3) seems to contain a fix for > CVE-2018-1000632 but has been pending release for ~1 year. > > > > I opened PR #28 [4] to make these changes. > > What else I should do to advance this proposal? > > > > Thanks! > > Tony Homer > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > [3] https://dom4j.github.io > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
