Maybe there is some replacement for both of that ? What do you think ? pt., 26 sie 2022 o 12:53 Piotr Zarzycki <piotrzarzyck...@gmail.com> napisał(a):
> Hi guys, > > Unfortunately both version of these plugins doesn't have newer versions. > The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it. > Any suggestions? > > Thanks, > Piotr > > pon., 22 sie 2022 o 10:44 Piotr Zarzycki <piotrzarzyck...@gmail.com> > napisał(a): > >> Hi Chris and All, >> >> I will try to upgrade dependencies myself this week. I will let you know >> here how it goes. >> >> Thanks, >> Piotr >> >> wt., 16 sie 2022 o 14:46 Christofer Dutz <christofer.d...@c-ware.de> >> napisał(a): >> >>> Well … >>> >>> you might not, but a malicious attacker might. >>> I think the last few releases of BlazeDS, that I did in the past were >>> reacting to CVEs reported in the XML processing part of BlazeDS. Here, for >>> example, a malicious attacker could embed xml using xml-entities that >>> referenced protected resources on the server and the BlazeDS server just >>> resolved them exposing this protected information. >>> >>> However, I think I remember I turned off the xml processing of external >>> resources per default. I probably this problem would not apply in very many >>> cases. >>> >>> However, this seems to be a pretty new vulnerability, as I wasn’t >>> getting it when I started the branch. So, I would advise to look, if a >>> newer version is available and simply switch to that. If you need help with >>> that … give me a ping. Should be a matter of 5 minutes. >>> >>> Chris >>> >>> >>> From: Tom Chiverton <t...@extravision.com> >>> Date: Tuesday, 16 August 2022 at 12:20 >>> To: dev@flex.apache.org <dev@flex.apache.org>, Brian Raymes < >>> brian.ray...@teotech.com> >>> Subject: Re: [EXTERNAL] BlazeDS release >>> The issue there is when processing malicious XSLT. >>> >>> We don't pass untrusted XSLT to it ? >>> >>> Tom >>> >>> On 15/08/2022 22:36, Brian Raymes wrote: >>> > Seems like those dependencies need to be replaced due to >>> vulnerabilities, as the Apache Xalan project has been retired: >>> > >>> > https://github.com/advisories/GHSA-9339-86wc-4qgf >>> > >>> > >>> > >>> > -----Original Message----- >>> > From: Piotr Zarzycki <piotrzarzyck...@gmail.com> >>> > Sent: Sunday, August 14, 2022 3:26 AM >>> > To: dev@flex.apache.org >>> > Subject: [EXTERNAL] BlazeDS release >>> > >>> > Hi All, >>> > >>> > In this thread I will be reporting updates related to release of >>> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy >>> module from upcoming release. Please let me know in this thread whether you >>> have anything against it. >>> > >>> > Meanwhile I have following error on the console during build - Anyone >>> know what that means ? >>> > >>> > One or more dependencies were identified with known vulnerabilities in >>> > flex-messaging-common: >>> > >>> > >>> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, >>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 >>> > >>> > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, >>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 >>> > >>> > >>> > >>> > See the dependency-check report for more details. >>> > >>> > >>> > >>> > [*INFO*] >>> > >>> *------------------------------------------------------------------------* >>> > >>> > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* >>> > >>> > [*INFO*] >>> > >>> > [*INFO*] Apache Flex - BlazeDS .............................. >>> > *SUCCESS* [ 5.914 >>> > s] >>> > >>> > [*INFO*] flex-messaging-archetypes .......................... >>> > *SUCCESS* [ 1.409 >>> > s] >>> > >>> > [*INFO*] blazeds-spring-boot-example-archetype .............. >>> > *SUCCESS* [ 4.430 >>> > s] >>> > >>> > [*INFO*] flex-messaging-common .............................. >>> > *FAILURE* [ 2.155 >>> > s] >>> > >>> > [*INFO*] flex-messaging-core ................................ *SKIPPED* >>> > >>> > [*INFO*] flex-messaging-proxy ............................... *SKIPPED* >>> > >>> > [*INFO*] flex-messaging-remoting ............................ *SKIPPED* >>> > >>> > [*INFO*] flex-messaging-opt ................................. *SKIPPED* >>> > >>> > [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED* >>> > >>> > [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED* >>> > >>> > [*INFO*] >>> > >>> *------------------------------------------------------------------------* >>> > >>> > [*INFO*] *BUILD FAILURE* >>> > >>> > [*INFO*] >>> > >>> *------------------------------------------------------------------------* >>> > >>> > [*INFO*] Total time: 14.115 s >>> > >>> > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00 >>> > >>> > [*INFO*] >>> > >>> *------------------------------------------------------------------------* >>> > >>> > [*ERROR*] Failed to execute goal >>> > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project >>> > flex-messaging-common: >>> > >>> > [*ERROR*] >>> > >>> > [*ERROR*] *One or more dependencies were identified with >>> vulnerabilities that have a CVSS score greater than or equal to '4.0': * >>> > >>> > [*ERROR*] >>> > >>> > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)* >>> > >>> > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)* >>> > >>> > [*ERROR*] >>> > >>> > [*ERROR*] *See the dependency-check report for more details.* >>> > >>> > Thanks, >>> >>> ______________________________________________________________________ >>> This email has been scanned by the Symantec Email Security.cloud service. >>> For more information please visit http://www.symanteccloud.com >>> ______________________________________________________________________ >>> >> >> >> -- >> >> Piotr Zarzycki >> > > > -- > > Piotr Zarzycki > -- Piotr Zarzycki