Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Jena 3.3.0
-
None
Description
jena-core pulls in Xerces 2.11.0, which has a known vulnerability CVE-2013-4002 (exploitable, resulting in DOS).
[INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile [INFO] | +- org.apache.jena:jena-tdb:jar:3.3.0:compile [INFO] | | \- org.apache.jena:jena-arq:jar:3.3.0:compile [INFO] | | +- org.apache.jena:jena-core:jar:3.3.0:compile [INFO] | | | +- xerces:xercesImpl:jar:2.11.0:compile
A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of the Red Hat repositories.
Attachments
Issue Links
- Blocked
-
XERCESJ-1679 xercesImpl: Security threat CVE-2013-4002
-
- Resolved
-
- is related to
-
JENA-1537 Remove requirement for Apache Xerces.
-
- Closed
-