[jira] [Resolved] (MDEP-626) Upgrade struts and xerces due to CVEs

Wed, 16 Oct 2019 13:06:44 -0700 


     [ 
https://issues.apache.org/jira/browse/MDEP-626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Heinz Marbaise resolved MDEP-626.
--------------------------------------
    Fix Version/s: 3.1.2
       Resolution: Fixed

Done in 
[a80f5cc026da0e3d98ec720b363728f4509293ff|https://gitbox.apache.org/repos/asf?p=maven-dependency-plugin.git;a=commitdiff;h=a80f5cc026da0e3d98ec720b363728f4509293ff]

> Upgrade struts and xerces due to CVEs
> -------------------------------------
>
>                 Key: MDEP-626
>                 URL: https://issues.apache.org/jira/browse/MDEP-626
>             Project: Maven Dependency Plugin
>          Issue Type: Dependency upgrade
>          Components: get
>    Affects Versions: 3.1.1
>            Reporter: Richard Cross
>            Assignee: Karl Heinz Marbaise
>            Priority: Major
>             Fix For: 3.1.2
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> If running behind a proxy (e.g. Nexus, with a security vulnerability scanner 
> (e.g. Nexus IQ), the get command (and possibly others) fails due to a 
> dependency on libraries deemed "vulnerable".
>  
> {code:java}
> [ERROR] Failed to execute goal 
> org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get (default-cli) on 
> project project1-sample: Execution default-cli of goal 
> org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get failed: Plugin 
> org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its 
> dependencies could not be resolved: The following artifacts could not be 
> resolved: xerces:xercesImpl:jar:2.9.1, 
> org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact 
> xerces:xercesImpl:jar:2.9.1 from/to efx.nexus 
> (https://mynexusserver/nexus/repository/maven-public/): Access denied to: 
> https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
>  , ReasonPhrase:Requested item is quarantined. -> [Help 1]
> {code}
> struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or 
> 2.5.17
> xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is 
> better, although still problematic.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to