Thanks for responding, Fred.
I submitted two changes so far.
The first bumps the maven-archetype version to 3.1.2 and as you expected, it fails:
https://git.eclipse.org/r/164105
The second bumps dom4j to 2.1.3 and it is succeeded:
https://git.eclipse.org/r/164107
I’ll add some reviewers to the second one and hope we can get it merged.
From: <m2e-dev-bounces@xxxxxxxxxxx> on behalf of Fred Bricon <fbricon@xxxxxxxxx>
Reply-To: Maven Integration for Eclipse developers mailing list <m2e-dev@xxxxxxxxxxx>
Date: Wednesday, June 3, 2020 at 5:11 PM
To: Maven Integration for Eclipse developers mailing list <m2e-dev@xxxxxxxxxxx>
Subject: Re: [m2e-dev] CVE-2020-10683
maven-archetype-plugin 3+ removed some API used in m2e, upgrading is a non-trivial effort.
I'd suggest bumping the dom4j dependency in the m2e archetype plugin in the meantime
m2e is using maven-archetype 2.4:
https://github.com/eclipse/m2e-core/blob/master/m2e-maven-runtime/org.eclipse.m2e.archetype.common/pom.xml#L27
maven-archetype removed dom4j in 3.1.2:
https://github.com/apache/maven-archetype/commit/bf7961805ea56cdad7e138f47098aacccb314db8
I'll open a change which bumps maven-archetype to 3.1.2 and removes the direct dependency on dom4j from m2e and see what happens.
Here is the commit from the last time a dom4j CVE fix was applied in m2e:
https://github.com/eclipse/m2e-core/commit/cbe8a8990fa168f3750b2accf499f87310907fcd
At that time, the issue was not fixed in maven-archetype, but I seem to recall that there was some reason why it was not practical to bump the maven-archetype dependency to 3+. I could be misremembering so I will go ahead and give it a shot. Maybe Fred can
comment as he was involved with this last time.
Tony
On 6/3/20 , 2:41 PM, "m2e-dev-bounces@xxxxxxxxxxx on behalf of Homer, Tony" <m2e-dev-bounces@xxxxxxxxxxx on behalf of
tony.homer@xxxxxxxxx> wrote:
Thanks for reminding me about that. I'll double-check the finding and see what version of maven-archetype m2e is using.
On 6/3/20 , 2:32 PM, "m2e-dev-bounces@xxxxxxxxxxx on behalf of Elliotte Rusty Harold" <m2e-dev-bounces@xxxxxxxxxxx on behalf
of elharo@xxxxxxxxxxx> wrote:
maven-archetype removed the dependency on dom4j about a year ago:
https://github.com/apache/maven-archetype/pull/29
If that's where it's coming from, you should just need to update
maven-archetype.
On Wed, Jun 3, 2020 at 5:21 PM Homer, Tony <tony.homer@xxxxxxxxx> wrote:
>
> Hi m2e-dev.
>
>
>
> I imagine it is too late for 2020-06 but m2e is exposed to CVE-2020-10683 by dom4j 2.1.1.
>
>
https://nvd.nist.gov/vuln/detail/CVE-2020-10683
>
> The mitigation is to update to 2.1.3.
>
>
>
> Should I log a bug for this?
>
> IIRC when there was a CVE from dom4j in the past, it was coming to m2e from maven-archetype and the answer was to report it to them.
>
> Is it the same for this one?
>
>
>
> Thanks!
>
> Tony Homer
>
> _______________________________________________
> m2e-dev mailing list
> m2e-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/m2e-dev
--
Elliotte Rusty Harold
elharo@xxxxxxxxxxx
_______________________________________________
m2e-dev mailing list
m2e-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/m2e-dev
_______________________________________________
m2e-dev mailing list
m2e-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/m2e-dev
_______________________________________________
m2e-dev mailing list
m2e-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/m2e-dev
--
"Have you tried turning it off and on again" - The IT Crowd
|
