[
https://issues.apache.org/jira/browse/JAMES-3033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028716#comment-17028716
]
Benoit Tellier commented on JAMES-3033:
---------------------------------------
We need a reference to the CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658
Also, we should provide elements in order to relativise the severity of this
dependency CVE:
- checkstyle is run at compile time, runtime James behavior is not impacted
(thus do not qualify as an Apache CVE)
- However automated CIs may be exposed to malicious pull requests with crafted
XML content leveraging the CVE pre-requisite. Even there, executing the
compilation within a docker container with limited rights might be a good risk
mitigation. Relying on "priviledge mode" or using a writable docker socket
might not.
> Vulnerability found in dependency com.puppycrawl.tools:checkstyle
> -----------------------------------------------------------------
>
> Key: JAMES-3033
> URL: https://issues.apache.org/jira/browse/JAMES-3033
> Project: James Server
> Issue Type: Improvement
> Reporter: René Cordier
> Priority: Major
> Labels: security
>
> A vulnerability issue has been found in com.puppycrawl.tools:checkstyle :
> https://github.com/linagora/james-project/network/alert/pom.xml/com.puppycrawl.tools:checkstyle/open
> We need to fix it asap by upgrading it from version 8.23 to 8.29.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
