Hi Aaron,
one note, a month ago we asked users to test 22-RC, if you had checked back
then by now you'd have a 22.0
with a fix. Instead this way, even with a quick fix, you'll have to wait
until November to get an official release
without the dependency. Yep, you can work around by excluding the
dependency, but next time you plan an
upgrade to a .0 version, please remember to check out the RCs before hand,
it's for your own benefit as well
as the rest of the community

Cheers
Andrea

On Tue, Sep 24, 2019 at 7:44 PM Aaron Hoffer <aaron.hof...@connexta.com>
wrote:

> We would like to upgrade our gt-solr dependency to 22.0. However, it
> contains the Apache Axis library. That library has some known
> vulnerabilities
>
> axis-1.4.jar (pkg:maven/org.apache.axis/axis@1.4,
> cpe:2.3:a:apache:axis:1.4:*:*:*:*:*:*:*) : CVE-2012-5784, CVE-2014-3596,
> CVE-2018-8032, CVE-2019-0227
>
> In general, we are not allowed to use a dependency with a CVSS score of
> 5.0 or greater. I'm not sure what to do.
>
>
> Here is the dependency tree:
>
> +--- *org.geotools:gt-solr:22.0*
> |    +--- org.geotools:gt-main:22.0
> |    |    +--- org.geotools:gt-referencing:22.0
> ... cut ...
> |    |    |    +--- jgridshift:jgridshift:1.1
> |    |    |    |    +--- javax:javaee-api:7.0
> |    |    |    |    |    \--- com.sun.mail:javax.mail:1.5.0
> |    |    |    |    |         \--- javax.activation:activation:1.1
> |    |    |    |    \--- * org.apache.axis:axis:1.4*
> _______________________________________________
> GeoTools-GT2-Users mailing list
> GeoTools-GT2-Users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users
>


-- 

Regards, Andrea Aime == GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
@geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
------------------------------------------------------- *Con riferimento
alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
circostanza inerente alla presente email (il suo contenuto, gli eventuali
allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
sarei comunque grato se potesse darmene notizia. This email is intended
only for the person or entity to which it is addressed and may contain
information that is privileged, confidential or otherwise protected from
disclosure. We remind that - as provided by European Regulation 2016/679
“GDPR” - copying, dissemination or use of this e-mail or the information
herein by anyone other than the intended recipient is prohibited. If you
have received this email by mistake, please notify us immediately by
telephone or e-mail.*
_______________________________________________
GeoTools-GT2-Users mailing list
GeoTools-GT2-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users

Reply via email to