[jira] [Commented] (DIRMINA-1178) Is there any plan to fix the dependent vulnerabilities of the dependent software pmd 4.3?

Yuanhua Han (Jira) Mon, 27 May 2024 04:58:14 -0700


    [ 
https://issues.apache.org/jira/browse/DIRMINA-1178?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17849713#comment-17849713
 ]


Yuanhua Han commented on DIRMINA-1178:
--------------------------------------

We understand，and thanks a lot.

> Is there any plan to fix the dependent vulnerabilities of the dependent 
> software pmd 4.3?
> -----------------------------------------------------------------------------------------
>
>                 Key: DIRMINA-1178
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-1178
>             Project: MINA
>          Issue Type: Wish
>    Affects Versions: 2.2.3
>            Reporter: Yuanhua Han
>            Priority: Major
>              Labels: security
>             Fix For: 2.2.4
>
>
> Hello, we found that Apache MINA 2.2.3 depends on pmd 4.3, which is a very 
> old version (released on November 11, 2011). 
> And the dependent components of pmd 4.3 have some vulnerabilities. Currently, 
> the pmd community has fixed these vulnerabilities in the latest version.
> Does this vulnerability affect Apache MINA? If yes, can I ask if there are 
> any plans of Apache MINA community to adapt to the new version of pmd to fix 
> these vulnerabilities? If so, which version of pmd will be adapted in the 
> future?
> Thanks.
> The detailed dependencies and related vulnerabilities are as follows:
> mina-legal 2.2.3 ---> pmd 4.3 ---> ant 1.6(CVE-2012-2098)
> mina-legal 2.2.3 ---> pmd 4.3 ---> junit 4.4(CVE-2020-15250)
> mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> dom4j 
> 1.6.1(CVE-2018-1000632, CVE-2020-10683)
> mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xercesImpl 
> 2.6.2(CVE-2018-2799, CVE-2022-23437)
> mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xercesImpl 
> 2.6.2(CVE-2018-2799, CVE-2022-23437)
> mina-legal 2.2.3 ---> pmd 4.3 ---> jaxen 1.1.1 ---> xom 1.0 ---> xalan 
> 2.6.0(CVE-2014-0107, CVE-2022-34169)
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

[jira] [Commented] (DIRMINA-1178) Is there any plan to fix the dependent vulnerabilities of the dependent software pmd 4.3?

Reply via email to