[jira] [Comment Edited] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it

Sat, 23 Oct 2021 16:12:04 -0700 


    [ 
https://issues.apache.org/jira/browse/FREEMARKER-190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17433381#comment-17433381
 ] 

Dániel Dékány edited comment on FREEMARKER-190 at 10/23/21, 11:11 PM:
----------------------------------------------------------------------

Fix was pushed, will be released with 2.3.32. Now the build compiles for dom4j 
2.31. Again, there's no actual vulnerability FreeMarker users should be 
concerned about, it's just to get out of the flagged status.

As of backward compatibility, it was tested that if FreeMarker is compiled for 
dom4j 2.31, but the user uses the resulting {{freemarker.jar}} with dom4j 1.3, 
it still works. Anyway, probably nobody uses dom4j support with FreeMarker. 
It's not even happening automatically; you explicitly have to use 
{{freemarker.ext.xml.NodeListModel}} to wrap the dom4j node to use it. So one 
can't even use it without knowing.


was (Author: ddekany):
Fix was pushed, will be released with 2.3.32. Now the build compiles for dom4j 
2.31. Again, there's no actual vulnerability FreeMarker users should be 
concerned about, it's just to get out of the flagged status.

As of backward compatibility, it was tested that if FreeMarker is compiled for 
dom4j 2.31, but the user uses the resulting freemarker.jar with dom4j 1.3, it 
still works. Anyway, probably nobody uses dom4j support with FreeMarker. It's 
not even happening automatically; you explicitly have to use 
`freemarker.ext.xml.NodeListModel` to wrap the dom4j node it use it. So one 
can't even use it without knowing.

> The  jar dom4j has known security issue that Freemarker compiles dependend on 
> it
> --------------------------------------------------------------------------------
>
>                 Key: FREEMARKER-190
>                 URL: https://issues.apache.org/jira/browse/FREEMARKER-190
>             Project: Apache Freemarker
>          Issue Type: Wish
>          Components: engine
>    Affects Versions: 2.3.31
>            Reporter: PowerCOM_STARWAR
>            Assignee: Dániel Dékány
>            Priority: Major
>
> Hi, friend. When i compile the Freemarker, i find it depends on the jar dom4j 
> ,and its version is 1.3. From the Internet, this version 1.3 of dom4j has 
> security issues, so please upgrade to the safety version.Thanks.
> The security issue number CVE-2020-10683 and link: 
> [https://nvd.nist.gov/vuln/detail/CVE-2020-10683]
> The Security issue number CVE-2018-1000632 and link: 
> [https://nvd.nist.gov/vuln/detail/CVE-2018-1000632.]
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to