[jira] [Commented] (SLING-11988) Apache Sling Testing Sling Mock Core Vulnerabilities

Mon, 14 Aug 2023 04:58:09 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-11988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17754064#comment-17754064
 ] 

Stefan Seifert commented on SLING-11988:
----------------------------------------

you are referencing to security issues reported for dependencies of sling-mock, 
not for sling-mock itself.

as far as i see the CVEs relate to these dependencies:
 * 
[CVE-2023-25621|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25621] 
-> [https://repo1.maven.org/maven2/org/apache/sling/org.apache.sling.i18n/]
 * 
[CVE-2022-32549|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32549] 
-> [https://repo1.maven.org/maven2/org/apache/sling/org.apache.sling.api/] and 
[https://repo1.maven.org/maven2/org/apache/sling/org.apache.sling.commons.log/]
 * 
[CVE-2021-29425|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425] 
-> [https://repo1.maven.org/maven2/commons-io/commons-io/]

for backwards compatibility reasons sling-mock comes with transitive 
dependencies to older versions of those libraries, but it is usual best 
practice to mange those dependencies in you project scope to use the versions 
actually used/deployed in your application. for example, if you are using it in 
an AEM project, here is a recommendation to do this: 
https://wcm.io/testing/aem-mock/usage-maven-dependencies.html

> Apache Sling Testing Sling Mock Core Vulnerabilities
> ----------------------------------------------------
>
>                 Key: SLING-11988
>                 URL: https://issues.apache.org/jira/browse/SLING-11988
>             Project: Sling
>          Issue Type: Bug
>            Reporter: Nok Arrenu
>            Priority: Major
>
> Hello Apache Sling team,
> The latest [Apache Sling Testing Sling Mock 
> Core|https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.testing.sling-mock.core]
>  version 3.4.10 
> ([https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.testing.sling-mock.core/3.4.10])
>  that was released in May 2023 currently has these 3 vulnerabilities:
> [CVE-2023-25621|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25621]
> [CVE-2022-32549|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32549]
> [CVE-2021-29425|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425]
> Can you please share your timeline on when the above vulnerabilities will be 
> fixed? 
> Thanks!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to