Re: [m2e-dev] CVE-2020-10683

[Fred Bricon <fbricon@xxxxxxxxx>]

maven-archetype-plugin 3+ removed some API used in m2e, upgrading is a non-trivial effort. 

I'd suggest bumping the dom4j dependency in the m2e archetype plugin in the meantime

On Thu, Jun 4, 2020 at 1:12 AM Homer, Tony <tony.homer@xxxxxxxxx> wrote:

m2e is using maven-archetype 2.4:
https://github.com/eclipse/m2e-core/blob/master/m2e-maven-runtime/org.eclipse.m2e.archetype.common/pom.xml#L27

maven-archetype removed dom4j in 3.1.2:
https://github.com/apache/maven-archetype/commit/bf7961805ea56cdad7e138f47098aacccb314db8

I'll open a change which bumps maven-archetype to 3.1.2 and removes the direct dependency on dom4j from m2e and see what happens.

Here is the commit from the last time a dom4j CVE fix was applied in m2e:
https://github.com/eclipse/m2e-core/commit/cbe8a8990fa168f3750b2accf499f87310907fcd
At that time, the issue was not fixed in maven-archetype, but I seem to recall that there was some reason why it was not practical to bump the maven-archetype dependency to 3+.  I could be misremembering so I will go ahead and give it a shot.  Maybe Fred can comment as he was involved with this last time.

Tony

On 6/3/20 , 2:41 PM, "m2e-dev-bounces@xxxxxxxxxxx on behalf of Homer, Tony" <m2e-dev-bounces@xxxxxxxxxxx on behalf of tony.homer@xxxxxxxxx> wrote:

    Thanks for reminding me about that.  I'll double-check the finding and see what version of maven-archetype m2e is using.

    On 6/3/20 , 2:32 PM, "m2e-dev-bounces@xxxxxxxxxxx on behalf of Elliotte Rusty Harold" <m2e-dev-bounces@xxxxxxxxxxx on behalf of elharo@xxxxxxxxxxx> wrote:

        maven-archetype removed the dependency on dom4j about a year ago:

        https://github.com/apache/maven-archetype/pull/29

        If that's where it's coming from, you should just need to update
        maven-archetype.


        On Wed, Jun 3, 2020 at 5:21 PM Homer, Tony <tony.homer@xxxxxxxxx> wrote:
        >
        > Hi m2e-dev.
        >
        >
        >
        > I imagine it is too late for 2020-06 but m2e is exposed to CVE-2020-10683 by dom4j 2.1.1.
        >
        > https://nvd.nist.gov/vuln/detail/CVE-2020-10683
        >
        > The mitigation is to update to 2.1.3.
        >
        >
        >
        > Should I log a bug for this?
        >
        > IIRC when there was a CVE from dom4j in the past, it was coming to m2e from maven-archetype and the answer was to report it to them.
        >
        > Is it the same for this one?
        >
        >
        >
        > Thanks!
        >
        > Tony Homer
        >
        > _______________________________________________
        > m2e-dev mailing list
        > m2e-dev@xxxxxxxxxxx
        > To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev



        --
        Elliotte Rusty Harold
        elharo@xxxxxxxxxxx
        _______________________________________________
        m2e-dev mailing list
        m2e-dev@xxxxxxxxxxx
        To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev

    _______________________________________________
    m2e-dev mailing list
    m2e-dev@xxxxxxxxxxx
    To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev

_______________________________________________
m2e-dev mailing list
m2e-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev

--

"Have you tried turning it off and on again" - The IT Crowd

And if that fails, then http://goo.gl/tnBgH5