Uploaded image for project: 'Apache Jena'
  1. Apache Jena
  2. JENA-1364

Jena-core has dependency on vulnerable Xerces version

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Jena 3.3.0
    • Fix Version/s: Jena 3.8.0
    • Component/s: Core
    • Labels:
      None

      Description

      jena-core pulls in Xerces 2.11.0, which has a known vulnerability CVE-2013-4002 (exploitable, resulting in DOS).

      [INFO] +- org.apache.jena:apache-jena-libs:pom:3.3.0:compile
      [INFO] |  +- org.apache.jena:jena-tdb:jar:3.3.0:compile
      [INFO] |  |  \- org.apache.jena:jena-arq:jar:3.3.0:compile
      [INFO] |  |     +- org.apache.jena:jena-core:jar:3.3.0:compile
      [INFO] |  |     |  +- xerces:xercesImpl:jar:2.11.0:compile
      

      A potential fix would be to pull in xerces 2.11.0.SP1 or later from one of the Red Hat repositories.

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              andy Andy Seaborne
              Reporter:
              yevster Yev Bronshteyn

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment