I saw a dependency xstream-1.3.1.jar in lsc-core-2.1.4.tar. But xstream-1.3.1 has vulnerabilities. CVE-2016-3674 Severity: Medium CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) CWE: CWE-200 Information Exposure Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
In LSC 2.1.4, I didn't see any codes using xstream. LSC used Jaxb to convert xml to objects in JaxbXmlConfigurationHelper. Why lsc still need xstream as dependency? Is it safe to remove it? Chun Ling Li(李春玲) IBM Connection Metrics/Activities/ITM lich...@cn.ibm.com | 8610-82452758 From: lsc-users-requ...@lists.lsc-project.org To: lsc-users@lists.lsc-project.org Date: 02/07/2018 07:00 PM Subject: lsc-users Digest, Vol 97, Issue 12 Sent by: "lsc-users" <lsc-users-boun...@lists.lsc-project.org> Send lsc-users mailing list submissions to lsc-users@lists.lsc-project.org To subscribe or unsubscribe via the World Wide Web, visit https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.lsc-2Dproject.org_cgi-2Dbin_mailman_listinfo_lsc-2Dusers&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=9zbvX1_biO__ZZXD0vAk2NsraCTovufv_GEadyZzBmM&m=wvkLjHpw0Jw12wqpoXN4tF3wLdJVmGGqd2GYiaetxY4&s=rpjk8kiUJvKequDN2ACMmqWmrS2IItMW7yGNJYSlFds&e= or, via email, send a message with subject or body 'help' to lsc-users-requ...@lists.lsc-project.org You can reach the person managing the list at lsc-users-ow...@lists.lsc-project.org When replying, please edit your Subject line so it is more specific than "Re: Contents of lsc-users digest..." Today's Topics: 1. Did LSC use xstream? (Chun Ling Li) ---------------------------------------------------------------------- Message: 1 Date: Wed, 7 Feb 2018 07:41:17 +0000 From: "Chun Ling Li" <lich...@cn.ibm.com> To: lsc-users@lists.lsc-project.org Subject: [lsc-users] Did LSC use xstream? Message-ID: <ofdbe5c741.4191ef0f-on0025822d.002986e1-0025822d.002a3...@notes.na.collabserv.com> Content-Type: text/plain; charset="utf-8" An HTML attachment was scrubbed... URL: < https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.lsc-2Dproject.org_pipermail_lsc-2Dusers_attachments_20180207_4f30ba09_attachment-2D0001.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=9zbvX1_biO__ZZXD0vAk2NsraCTovufv_GEadyZzBmM&m=wvkLjHpw0Jw12wqpoXN4tF3wLdJVmGGqd2GYiaetxY4&s=b87SeZoc9l6y1zdGAPAGcfUp52tehqXW1WThpn1F1UE&e= > ------------------------------ Subject: Digest Footer _______________________________________________ lsc-users mailing list lsc-users@lists.lsc-project.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.lsc-2Dproject.org_cgi-2Dbin_mailman_listinfo_lsc-2Dusers&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=9zbvX1_biO__ZZXD0vAk2NsraCTovufv_GEadyZzBmM&m=wvkLjHpw0Jw12wqpoXN4tF3wLdJVmGGqd2GYiaetxY4&s=rpjk8kiUJvKequDN2ACMmqWmrS2IItMW7yGNJYSlFds&e= ------------------------------ End of lsc-users Digest, Vol 97, Issue 12 *****************************************
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list lsc-users@lists.lsc-project.org https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users