Re: [m2e-dev] CVE-2020-10683

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [m2e-dev] CVE-2020-10683

From: Elliotte Rusty Harold <elharo@xxxxxxxxxxx>
Date: Wed, 3 Jun 2020 17:32:30 -0400
Delivered-to: m2e-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/m2e-dev>
List-help: <mailto:m2e-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/m2e-dev>, <mailto:m2e-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/m2e-dev>, <mailto:m2e-dev-request@eclipse.org?subject=unsubscribe>

maven-archetype removed the dependency on dom4j about a year ago:

https://github.com/apache/maven-archetype/pull/29

If that's where it's coming from, you should just need to update
maven-archetype.


On Wed, Jun 3, 2020 at 5:21 PM Homer, Tony <tony.homer@xxxxxxxxx> wrote:
>
> Hi m2e-dev.
>
>
>
> I imagine it is too late for 2020-06 but m2e is exposed to CVE-2020-10683 by dom4j 2.1.1.
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-10683
>
> The mitigation is to update to 2.1.3.
>
>
>
> Should I log a bug for this?
>
> IIRC when there was a CVE from dom4j in the past, it was coming to m2e from maven-archetype and the answer was to report it to them.
>
> Is it the same for this one?
>
>
>
> Thanks!
>
> Tony Homer
>
> _______________________________________________
> m2e-dev mailing list
> m2e-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev



-- 
Elliotte Rusty Harold
elharo@xxxxxxxxxxx

Follow-Ups:
- Re: [m2e-dev] CVE-2020-10683
  - From: Homer, Tony

References:
- [m2e-dev] CVE-2020-10683
  - From: Homer, Tony

Prev by Date: Re: [m2e-dev] CVE-2020-10683
Next by Date: Re: [m2e-dev] CVE-2020-10683
Previous by thread: Re: [m2e-dev] CVE-2020-10683
Next by thread: Re: [m2e-dev] CVE-2020-10683
Index(es):
- Date
- Thread

Breadcrumbs