[jira] [Updated] (DIRMINA-1178) Is there any plan to fix the dependent vulnerabilities of the dependent software pmd 4.3?

Yuanhua Han (Jira) Sat, 25 May 2024 01:54:04 -0700


     [ 
https://issues.apache.org/jira/browse/DIRMINA-1178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Yuanhua Han updated DIRMINA-1178:
---------------------------------
    Description: 
Hello, we found that Apache MINA 2.2.3 depends on pmd 4.3, which is a very old 
version (released on November 11, 2011). 

And the dependent components of pmd 4.3 have some vulnerabilities. Currently, 
the pmd community has fixed these vulnerabilities in the latest version.

Does this vulnerability affect Apache MINA? If yes, can I ask if there are any 
plans of Apache MINA community to adapt to the new version of pmd to fix these 
vulnerabilities? If so, which version of pmd will be adapted in the future?

Thanks.

The detailed dependencies and related vulnerabilities are as follows:

mina-legal 2.2.3 ---> pmd 4.3 ---> ant 1.6(CVE-2012-2098)
mina-legal 2.2.3 ---> pmd 4.3 ---> junit 4.4(CVE-2020-15250)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> dom4j 
1.6.1(CVE-2018-1000632, CVE-2020-10683)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xercesImpl 
2.6.2(CVE-2018-2799, CVE-2022-23437)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xercesImpl 
2.6.2(CVE-2018-2799, CVE-2022-23437)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xalan 
2.6.0(CVE-2014-0107, CVE-2022-34169)

 

  was:
Hello, we found that Apache MINA 2.2.3 depends on pmd 4.3, which is a very old 
version (released on November 11, 2011). 

And the dependent components of pmd 4.3 have some vulnerabilities. Currently, 
the pmd community has fixed these vulnerabilities in the latest version.

Can I ask if there are any plans of Apache MINA community to adapt to the new 
version of pmd to fix these vulnerabilities? If so, which version of pmd will 
be adapted in the future?

Thanks.

The detailed dependencies and related vulnerabilities are as follows:

mina-legal 2.2.3 ---> pmd 4.3 ---> ant 1.6(CVE-2012-2098)
mina-legal 2.2.3 ---> pmd 4.3 ---> junit 4.4(CVE-2020-15250)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> dom4j 
1.6.1(CVE-2018-1000632, CVE-2020-10683)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xercesImpl 
2.6.2(CVE-2018-2799, CVE-2022-23437)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xercesImpl 
2.6.2(CVE-2018-2799, CVE-2022-23437)
mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xalan 
2.6.0(CVE-2014-0107, CVE-2022-34169)

 


> Is there any plan to fix the dependent vulnerabilities of the dependent 
> software pmd 4.3?
> -----------------------------------------------------------------------------------------
>
>                 Key: DIRMINA-1178
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-1178
>             Project: MINA
>          Issue Type: Wish
>    Affects Versions: 2.2.3
>            Reporter: Yuanhua Han
>            Priority: Major
>              Labels: security
>
> Hello, we found that Apache MINA 2.2.3 depends on pmd 4.3, which is a very 
> old version (released on November 11, 2011). 
> And the dependent components of pmd 4.3 have some vulnerabilities. Currently, 
> the pmd community has fixed these vulnerabilities in the latest version.
> Does this vulnerability affect Apache MINA? If yes, can I ask if there are 
> any plans of Apache MINA community to adapt to the new version of pmd to fix 
> these vulnerabilities? If so, which version of pmd will be adapted in the 
> future?
> Thanks.
> The detailed dependencies and related vulnerabilities are as follows:
> mina-legal 2.2.3 ---> pmd 4.3 ---> ant 1.6(CVE-2012-2098)
> mina-legal 2.2.3 ---> pmd 4.3 ---> junit 4.4(CVE-2020-15250)
> mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> dom4j 
> 1.6.1(CVE-2018-1000632, CVE-2020-10683)
> mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xercesImpl 
> 2.6.2(CVE-2018-2799, CVE-2022-23437)
> mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xercesImpl 
> 2.6.2(CVE-2018-2799, CVE-2022-23437)
> mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xalan 
> 2.6.0(CVE-2014-0107, CVE-2022-34169)
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

[jira] [Updated] (DIRMINA-1178) Is there any plan to fix the dependent vulnerabilities of the dependent software pmd 4.3?

Reply via email to