Yuanhua Han created DIRMINA-1178: ------------------------------------ Summary: Is there any plan to fix the dependent vulnerabilities of the dependent software pmd 4.3? Key: DIRMINA-1178 URL: https://issues.apache.org/jira/browse/DIRMINA-1178 Project: MINA Issue Type: Wish Affects Versions: 2.2.3 Reporter: Yuanhua Han
Hello, we found that Apache MINA 2.2.3 depends on pmd 4.3, which is a very old version (released on November 11, 2011). And the dependent components of pmd 4.3 have some vulnerabilities. Currently, the pmd community has fixed these vulnerabilities in the latest version. Can I ask if there are any plans of Apache MINA community to adapt to the new version of pmd to fix these vulnerabilities? If so, which version of pmd will be adapted in the future? Thanks. The detailed dependencies and related vulnerabilities are as follows: mina-legal 2.2.3 ---> pmd 4.3 ---> ant 1.6(CVE-2012-2098) mina-legal 2.2.3 ---> pmd 4.3 ---> junit 4.4(CVE-2020-15250) mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> dom4j 1.6.1(CVE-2018-1000632, CVE-2020-10683) mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xercesImpl 2.6.2(CVE-2018-2799, CVE-2022-23437) mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xercesImpl 2.6.2(CVE-2018-2799, CVE-2022-23437) mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xalan 2.6.0(CVE-2014-0107, CVE-2022-34169) -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org