I saw a dependency xstream-1.3.1.jar in lsc-core-2.1.4.tar. But xstream-1.3.1 has vulnerabilities. CVE-2016-3674 Severity: Medium CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) CWE: CWE-200 Information Exposure Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
In LSC 2.1.4, I didn't see any codes using xstream. LSC used Jaxb to convert xml to objects in JaxbXmlConfigurationHelper. Why lsc still need xstream as dependency? Is it safe to remove it? Chun Ling Li(李春玲) IBM Connection Metrics/Activities/ITM [email protected] | 8610-82452758 From: [email protected] To: [email protected] Date: 02/07/2018 07:00 PM Subject: lsc-users Digest, Vol 97, Issue 12 Sent by: "lsc-users" <[email protected]> Send lsc-users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.lsc-2Dproject.org_cgi-2Dbin_mailman_listinfo_lsc-2Dusers&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=9zbvX1_biO__ZZXD0vAk2NsraCTovufv_GEadyZzBmM&m=wvkLjHpw0Jw12wqpoXN4tF3wLdJVmGGqd2GYiaetxY4&s=rpjk8kiUJvKequDN2ACMmqWmrS2IItMW7yGNJYSlFds&e= or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of lsc-users digest..." Today's Topics: 1. Did LSC use xstream? (Chun Ling Li) ---------------------------------------------------------------------- Message: 1 Date: Wed, 7 Feb 2018 07:41:17 +0000 From: "Chun Ling Li" <[email protected]> To: [email protected] Subject: [lsc-users] Did LSC use xstream? Message-ID: <ofdbe5c741.4191ef0f-on0025822d.002986e1-0025822d.002a3...@notes.na.collabserv.com> Content-Type: text/plain; charset="utf-8" An HTML attachment was scrubbed... URL: < https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.lsc-2Dproject.org_pipermail_lsc-2Dusers_attachments_20180207_4f30ba09_attachment-2D0001.html&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=9zbvX1_biO__ZZXD0vAk2NsraCTovufv_GEadyZzBmM&m=wvkLjHpw0Jw12wqpoXN4tF3wLdJVmGGqd2GYiaetxY4&s=b87SeZoc9l6y1zdGAPAGcfUp52tehqXW1WThpn1F1UE&e= > ------------------------------ Subject: Digest Footer _______________________________________________ lsc-users mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.lsc-2Dproject.org_cgi-2Dbin_mailman_listinfo_lsc-2Dusers&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=9zbvX1_biO__ZZXD0vAk2NsraCTovufv_GEadyZzBmM&m=wvkLjHpw0Jw12wqpoXN4tF3wLdJVmGGqd2GYiaetxY4&s=rpjk8kiUJvKequDN2ACMmqWmrS2IItMW7yGNJYSlFds&e= ------------------------------ End of lsc-users Digest, Vol 97, Issue 12 *****************************************
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
