-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: Jena 3.3.0
-
Fix Version/s: Jena 3.8.0
-
Component/s: Core
-
Labels:None
jena-core pulls in Xerces 2.11.0, which has a known vulnerability CVE-2013-4002 (exploitable, resulting in DOS).
[INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile [INFO] | +- org.apache.jena:jena-tdb:jar:3.3.0:compile [INFO] | | \- org.apache.jena:jena-arq:jar:3.3.0:compile [INFO] | | +- org.apache.jena:jena-core:jar:3.3.0:compile [INFO] | | | +- xerces:xercesImpl:jar:2.11.0:compile
A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of the Red Hat repositories.
- Blocked
-
XERCESJ-1679 xercesImpl: Security threat CVE-2013-4002
-
- Resolved
-
- is related to
-
JENA-1537 Remove requirement for Apache Xerces.
-
- Closed
-