Uploaded image for project: 'Apache Jena'
  1. Apache Jena
  2. JENA-1364

Jena-core has dependency on vulnerable Xerces version

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Jena 3.3.0
    • Jena 3.8.0
    • Core
    • None

    Description

      jena-core pulls in Xerces 2.11.0, which has a known vulnerability CVE-2013-4002 (exploitable, resulting in DOS).

      [INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
[INFO] |  +- org.apache.jena:jena-tdb:jar:3.3.0:compile
[INFO] |  |  \- org.apache.jena:jena-arq:jar:3.3.0:compile
[INFO] |  |     +- org.apache.jena:jena-core:jar:3.3.0:compile
[INFO] |  |     |  +- xerces:xercesImpl:jar:2.11.0:compile

      A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of the Red Hat repositories.

      Attachments

        Issue Links

          Blocked

          Bug - A problem which impairs or prevents the functions of the product. XERCESJ-1679 xercesImpl: Security threat CVE-2013-4002

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. JENA-1537 Remove requirement for Apache Xerces.

          • Major - Major loss of function.
          • Closed

          Activity

            People

              andy Andy Seaborne
              yevster Yev Bronshteyn
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: