Yuanhua Han created DIRMINA-1178:
------------------------------------
Summary: Is there any plan to fix the dependent vulnerabilities of
the dependent software pmd 4.3?
Key: DIRMINA-1178
URL: https://issues.apache.org/jira/browse/DIRMINA-1178
Project: MINA
Issue Type: Wish
Affects Versions: 2.2.3
Reporter: Yuanhua Han
Hello, we found that Apache MINA 2.2.3 depends on pmd 4.3, which is a very old
version (released on November 11, 2011).
And the dependent components of pmd 4.3 have some vulnerabilities. Currently,
the pmd community has fixed these vulnerabilities in the latest version.
Can I ask if there are any plans of Apache MINA community to adapt to the new
version of pmd to fix these vulnerabilities? If so, which version of pmd will
be adapted in the future?
Thanks.
The detailed dependencies and related vulnerabilities are as follows:
mina-legal 2.2.3 ---> pmd 4.3 ---> ant 1.6(CVE-2012-2098)
mina-legal 2.2.3 ---> pmd 4.3 ---> junit 4.4(CVE-2020-15250)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> dom4j
1.6.1(CVE-2018-1000632, CVE-2020-10683)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xercesImpl
2.6.2(CVE-2018-2799, CVE-2022-23437)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xercesImpl
2.6.2(CVE-2018-2799, CVE-2022-23437)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xalan
2.6.0(CVE-2014-0107, CVE-2022-34169)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
