Uploaded image for project: 'Apache Jena'
  1. Apache Jena
  2. JENA-1364

Jena-core has dependency on vulnerable Xerces version

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Jena 3.3.0
    • Fix Version/s: Jena 3.8.0
    • Component/s: Core
    • Labels:
      None

      Description

      jena-core pulls in Xerces 2.11.0, which has a known vulnerability CVE-2013-4002 (exploitable, resulting in DOS).

      [INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
[INFO] |  +- org.apache.jena:jena-tdb:jar:3.3.0:compile
[INFO] |  |  \- org.apache.jena:jena-arq:jar:3.3.0:compile
[INFO] |  |     +- org.apache.jena:jena-core:jar:3.3.0:compile
[INFO] |  |     |  +- xerces:xercesImpl:jar:2.11.0:compile

      A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of the Red Hat repositories.

        Attachments

        Issue Links

        Blocked

        Bug - A problem which impairs or prevents the functions of the product. XERCESJ-1679 xercesImpl: Security threat CVE-2013-4002

        • Critical - Crashes, loss of data, severe memory leak.
        • Resolved
        is related to

        Improvement - An improvement or enhancement to an existing feature or task. JENA-1537 Remove requirement for Apache Xerces.

        • Major - Major loss of function.
        • Closed

          Activity
          $i18n.getText('security.level.explanation', $currentSelection) Viewable by All Users
          Cancel

            People

            • Assignee:
              andy Andy Seaborne
              Reporter:
              yevster Yev Bronshteyn

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment