[
https://issues.apache.org/jira/browse/FREEMARKER-190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17411298#comment-17411298
]
Dániel Dékány edited comment on FREEMARKER-190 at 9/7/21, 3:13 PM:
-------------------------------------------------------------------
That's for building FreeMareker itself; for that, it's required. But when in
another project you are *using* FreeMarker, and therefore declare a dependency
on the Maven artifact, it will not add DOM4J to your project. In fact, it
doesn't add any transitive dependencies. See the POM here (and actually, they
aren't even listed as "optional", they are simply not listed at all):
[https://search.maven.org/artifact/org.freemarker/freemarker/2.3.31/jar]
If some of the safe never versions are indeed backward compatible (I think it
was once checked, but maybe that's a false memory of mine), then I will upgrade
the dependency, just to avoid confusion.
But, main point is, it's not a security risk.
was (Author: ddekany):
That's for building FreeMareker itself; for that, it's required. But when in
another project you are *using* FreeMarker, and therefore declare a dependency
on the Maven artifact, it will not add DOM4J to your project. In fact, it
doesn't add any transitive dependencies. See the POM here (and actually, they
aren't even listed as "optional", they are simply not listed at all):
[https://search.maven.org/artifact/org.freemarker/freemarker/2.3.31/jar]
If some of the safe never versions are indeed backward compatible (I think it
was once checked, but maybe that's a false memory of mine), then I will upgrade
the dependency, just to avoid confusion.
But, main point is, it's a not security risk.
> The jar dom4j has known security issue that Freemarker compiles dependend on
> it
> --------------------------------------------------------------------------------
>
> Key: FREEMARKER-190
> URL: https://issues.apache.org/jira/browse/FREEMARKER-190
> Project: Apache Freemarker
> Issue Type: Wish
> Components: engine
> Affects Versions: 2.3.31
> Reporter: PowerCOM_STARWAR
> Priority: Major
>
> Hi, friend. When i compile the Freemarker, i find it depends on the jar dom4j
> ,and its version is 1.3. From the Internet, this version 1.3 of dom4j has
> security issues, so please upgrade to the safety version.Thanks.
> The security issue number CVE-2020-10683 and link:
> [https://nvd.nist.gov/vuln/detail/CVE-2020-10683]
> The Security issue number CVE-2018-1000632 and link:
> [https://nvd.nist.gov/vuln/detail/CVE-2018-1000632.]
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
