Uploaded image for project: 'Apache Jena'
  1. Apache Jena
  2. JENA-1364

Jena-core has dependency on vulnerable Xerces version

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Jena 3.3.0
    • Fix Version/s: Jena 3.8.0
    • Component/s: Core
    • Labels:
      None

      Description

      jena-core pulls in Xerces 2.11.0, which has a known vulnerability CVE-2013-4002 (exploitable, resulting in DOS).

      [INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
[INFO] |  +- org.apache.jena:jena-tdb:jar:3.3.0:compile
[INFO] |  |  \- org.apache.jena:jena-arq:jar:3.3.0:compile
[INFO] |  |     +- org.apache.jena:jena-core:jar:3.3.0:compile
[INFO] |  |     |  +- xerces:xercesImpl:jar:2.11.0:compile

      A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of the Red Hat repositories.

        Attachments

          Issue Links

          Blocked

          Bug - A problem which impairs or prevents the functions of the product. XERCESJ-1679 xercesImpl: Security threat CVE-2013-4002

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. JENA-1537 Remove requirement for Apache Xerces.

          • Major - Major loss of function.
          • Closed

            Activity

              People

              • Assignee:
                andy Andy Seaborne
                Reporter:
                yevster Yev Bronshteyn
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: