I saw a dependency xstream-1.3.1.jar in lsc-core-2.1.4.tar. But
xstream-1.3.1 has vulnerabilities.
CVE-2016-3674
Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver,
(2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6)
StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9
allow remote attackers to read arbitrary files via a crafted XML document.
In LSC 2.1.4, I didn't see any codes using xstream. LSC used Jaxb to
convert xml to objects in JaxbXmlConfigurationHelper. Why lsc still need
xstream as dependency? Is it safe to remove it?
Chun Ling Li(李春玲)
IBM Connection Metrics/Activities/ITM
lich...@cn.ibm.com | 8610-82452758
From: lsc-users-requ...@lists.lsc-project.org
To: lsc-users@lists.lsc-project.org
Date: 02/07/2018 07:00 PM
Subject: lsc-users Digest, Vol 97, Issue 12
Sent by: "lsc-users" <lsc-users-boun...@lists.lsc-project.org>
Send lsc-users mailing list submissions to
lsc-users@lists.lsc-project.org
To subscribe or unsubscribe via the World Wide Web, visit
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.lsc-2Dproject.org_cgi-2Dbin_mailman_listinfo_lsc-2Dusers&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=9zbvX1_biO__ZZXD0vAk2NsraCTovufv_GEadyZzBmM&m=wvkLjHpw0Jw12wqpoXN4tF3wLdJVmGGqd2GYiaetxY4&s=rpjk8kiUJvKequDN2ACMmqWmrS2IItMW7yGNJYSlFds&e=
or, via email, send a message with subject or body 'help' to
lsc-users-requ...@lists.lsc-project.org
You can reach the person managing the list at
lsc-users-ow...@lists.lsc-project.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of lsc-users digest..."
Today's Topics:
1. Did LSC use xstream? (Chun Ling Li)
----------------------------------------------------------------------
Message: 1
Date: Wed, 7 Feb 2018 07:41:17 +0000
From: "Chun Ling Li" <lich...@cn.ibm.com>
To: lsc-users@lists.lsc-project.org
Subject: [lsc-users] Did LSC use xstream?
Message-ID:
<ofdbe5c741.4191ef0f-on0025822d.002986e1-0025822d.002a3...@notes.na.collabserv.com>
Content-Type: text/plain; charset="utf-8"
An HTML attachment was scrubbed...
URL: <
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.lsc-2Dproject.org_pipermail_lsc-2Dusers_attachments_20180207_4f30ba09_attachment-2D0001.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=9zbvX1_biO__ZZXD0vAk2NsraCTovufv_GEadyZzBmM&m=wvkLjHpw0Jw12wqpoXN4tF3wLdJVmGGqd2GYiaetxY4&s=b87SeZoc9l6y1zdGAPAGcfUp52tehqXW1WThpn1F1UE&e=
>
------------------------------
Subject: Digest Footer
_______________________________________________
lsc-users mailing list
lsc-users@lists.lsc-project.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.lsc-2Dproject.org_cgi-2Dbin_mailman_listinfo_lsc-2Dusers&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=9zbvX1_biO__ZZXD0vAk2NsraCTovufv_GEadyZzBmM&m=wvkLjHpw0Jw12wqpoXN4tF3wLdJVmGGqd2GYiaetxY4&s=rpjk8kiUJvKequDN2ACMmqWmrS2IItMW7yGNJYSlFds&e=
------------------------------
End of lsc-users Digest, Vol 97, Issue 12
*****************************************
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
lsc-users@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
