[
https://issues.apache.org/jira/browse/FREEMARKER-190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17423420#comment-17423420
]
Dániel Dékány commented on FREEMARKER-190:
------------------------------------------
Ah, now FreeMarker is listed as affected under
https://nvd.nist.gov/vuln/detail/CVE-2020-10683 etc. and there's a reference to
this Jira issue. Again, we merely support that API, in case +something else+
exposes such objects to us. FreeMarker doesn't use that API in itself. Also, we
do not pull in Dom4j as dependency. See the POM in maven central; dom4j is not
mentioned anywhere. It's only used during the Ant building process, because
javac needs it for obvious reasons.
Anyway, I will upgrade the dependency in the next release, to any further
confusion. Or if I find that it's not backward compatible, I will just drop it,
as almost nobody uses it anyway. If the others will agree, that is. Will see.
Eclipse dependency... I'm not sure who to turn to, which subproject it is.
> The jar dom4j has known security issue that Freemarker compiles dependend on
> it
> --------------------------------------------------------------------------------
>
> Key: FREEMARKER-190
> URL: https://issues.apache.org/jira/browse/FREEMARKER-190
> Project: Apache Freemarker
> Issue Type: Wish
> Components: engine
> Affects Versions: 2.3.31
> Reporter: PowerCOM_STARWAR
> Priority: Major
>
> Hi, friend. When i compile the Freemarker, i find it depends on the jar dom4j
> ,and its version is 1.3. From the Internet, this version 1.3 of dom4j has
> security issues, so please upgrade to the safety version.Thanks.
> The security issue number CVE-2020-10683 and link:
> [https://nvd.nist.gov/vuln/detail/CVE-2020-10683]
> The Security issue number CVE-2018-1000632 and link:
> [https://nvd.nist.gov/vuln/detail/CVE-2018-1000632.]
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
