[jira] [Commented] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it

Tue, 05 Oct 2021 23:49:04 -0700 


    [ 
https://issues.apache.org/jira/browse/FREEMARKER-190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17424805#comment-17424805
 ] 

Karim Mreisi commented on FREEMARKER-190:
-----------------------------------------

{quote}See the POM in maven central; dom4j is not mentioned anywhere. It's only 
used during the Ant building process, because javac needs it for obvious 
reasons.
{quote}
Thanks for the response, this unblocks me already since I can claim that the 
vulnerable code is not used in the product.
{quote}Anyway, I will upgrade the dependency in the next release, to avoid any 
further confusion. Or if I find that it's not backward compatible (which is 
very likely), I will just drop dom4j support. Almost nobody uses it anyway. If 
the others will agree, that is. Will see.
{quote}
Sounds good to me please keep the ticket updated.

To update Eclipse looks a bit complicated since the original commiter of 
freemarker in eclipse went away: 
[https://www.eclipse.org/lists/orbit-dev/msg05227.html|https://www.eclipse.org/lists/orbit-dev/msg05227.html)].
 When you have a CVE free build I will try to bump the orbit dependency 
([https://git.eclipse.org/c/orbit/orbit-recipes.git/tree/freemarker/org.freemarker_2.3.22)]
 that could be enough if you don't break any existing APIs.

> The  jar dom4j has known security issue that Freemarker compiles dependend on 
> it
> --------------------------------------------------------------------------------
>
>                 Key: FREEMARKER-190
>                 URL: https://issues.apache.org/jira/browse/FREEMARKER-190
>             Project: Apache Freemarker
>          Issue Type: Wish
>          Components: engine
>    Affects Versions: 2.3.31
>            Reporter: PowerCOM_STARWAR
>            Assignee: Dániel Dékány
>            Priority: Major
>
> Hi, friend. When i compile the Freemarker, i find it depends on the jar dom4j 
> ,and its version is 1.3. From the Internet, this version 1.3 of dom4j has 
> security issues, so please upgrade to the safety version.Thanks.
> The security issue number CVE-2020-10683 and link: 
> [https://nvd.nist.gov/vuln/detail/CVE-2020-10683]
> The Security issue number CVE-2018-1000632 and link: 
> [https://nvd.nist.gov/vuln/detail/CVE-2018-1000632.]
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to