[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [m2e-dev] CVE-2020-10683
|
- From: "Homer, Tony" <tony.homer@xxxxxxxxx>
- Date: Wed, 3 Jun 2020 21:41:45 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jvnnlxk33xSO5nY9WvId5ELqTAHQU1WlmvHpOzpJ35g=; b=mmnDQJQLjTMzuP5iU/geH8S82fnbMW/HkyA7TbSjhZ3fziSMuRG08jpwSsgsRYPfREGYNT125vPdfAxno/dLOny2GDw7VBJX0DPa2zgkVAVVEFnJqOleUYlSMWF7i7rWAHxt1qjzoBCkvxe4NPh8vH54qNUckMrUY3BN6xQZwD2V2EeKfyEqhDElEztMAe2zXUo0gAQuZIh6B4PU5TbohWwJkSFAIvTRWyUVGNViinUDyIGSpC1VUnehnI3G1CuWtEJUfFYGTy9UvxHdmNzdbzNItrryqjCWR1k1RsnAqYWrq1eMJQO+8oycpdAP0ehAsyrr4xZo0h4WAS62X8Iw7A==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fcCHa+c7La7hmm1rDNH1mf3pRES++X67GAoYBqYkh/0vxsVccQTjeqCXMRxwMiD6Mq2DgIIrfVE6L7NW2HGxEudMMbwrb56a7Z7AxixDYSPvF+KZ5AKWJZkiF0amYtzZiWW+TsBKHXcD/gikz6RdIxfXfEB9FSpz7vtKB1q2bPhIkedxMMR1ldvh7PRGu3XftIcwftq39N/+e48mECcXj+ByxO9QoLyE+wGXS9DZ+8TVOVz3ivDt6u4JsDA9Ul3lvT/4frm/D2Mz4eryzp06J4fnaw5hNXkKXDxmImQ4YPY5N4TOHXAKjrrt/DiF55G66gASjol5+JQsnxJifCSetA==
- Delivered-to: m2e-dev@xxxxxxxxxxx
- Ironport-sdr: EGcXIvdpr6230/lLdrSbcgiDmOLrGIpFGjQ1pWFgfXzEo0o7ncU9DBiPyIY5ceX349nMtNU61z gSshWsGMWhTw==
- Ironport-sdr: Q6QaFjxsUMJ7fMV0DSbQ4V5ERGSNbgv2jL0B+4UvOaGX+xRa1bMzJSQ10hxbVn3oq5aYZJm6Og +uhFVpAKWinA==
- List-archive: <https://www.eclipse.org/mailman/private/m2e-dev>
- List-help: <mailto:m2e-dev-request@eclipse.org?subject=help>
- List-subscribe: <https://www.eclipse.org/mailman/listinfo/m2e-dev>, <mailto:m2e-dev-request@eclipse.org?subject=subscribe>
- List-unsubscribe: <https://www.eclipse.org/mailman/options/m2e-dev>, <mailto:m2e-dev-request@eclipse.org?subject=unsubscribe>
- Thread-index: AQHWOe/HfkVJ3X5cqUGQ66CqGRKHYg==
- Thread-topic: [m2e-dev] CVE-2020-10683
- User-agent: Microsoft-MacOutlook/16.37.20051002
Thanks for reminding me about that. I'll double-check the finding and see what version of maven-archetype m2e is using.
On 6/3/20 , 2:32 PM, "m2e-dev-bounces@xxxxxxxxxxx on behalf of Elliotte Rusty Harold" <m2e-dev-bounces@xxxxxxxxxxx on behalf of elharo@xxxxxxxxxxx> wrote:
maven-archetype removed the dependency on dom4j about a year ago:
https://github.com/apache/maven-archetype/pull/29
If that's where it's coming from, you should just need to update
maven-archetype.
On Wed, Jun 3, 2020 at 5:21 PM Homer, Tony <tony.homer@xxxxxxxxx> wrote:
>
> Hi m2e-dev.
>
>
>
> I imagine it is too late for 2020-06 but m2e is exposed to CVE-2020-10683 by dom4j 2.1.1.
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-10683
>
> The mitigation is to update to 2.1.3.
>
>
>
> Should I log a bug for this?
>
> IIRC when there was a CVE from dom4j in the past, it was coming to m2e from maven-archetype and the answer was to report it to them.
>
> Is it the same for this one?
>
>
>
> Thanks!
>
> Tony Homer
>
> _______________________________________________
> m2e-dev mailing list
> m2e-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev
--
Elliotte Rusty Harold
elharo@xxxxxxxxxxx
_______________________________________________
m2e-dev mailing list
m2e-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev
