[
https://issues.apache.org/jira/browse/FELIX-6230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17050959#comment-17050959
]
Carsten Ziegeler edited comment on FELIX-6230 at 3/18/20, 1:21 PM:
-------------------------------------------------------------------
Thanks for reporting this - please note that in most cases these are just build
time dependencies not runtime dependencies. At runtime newer versions of the
libraries can be used. Nevertheless we should update the dependencies.
Next time, please create issues per sub project as this makes tracking them
much easier for users and developers.
||Project|Library|Suggest Update||
|-http/sslfilter-|-commons-collections : commons-collections : 3.2.1-|-3.2.2-|
|-http/whiteboard-|-commons-collections : commons-collections : 3.2.1-|-3.2.2-|
|-http/jetty-|-org.eclipse.jetty : 9.4.11.v20180605-|-9.4.26.v20200117-|
|-http/cometd-|-org.eclipse.jetty :* : 9.3.8.v20160314-|-9.4.26.v20200117-|
|-deploymentadmin/itest-|-org.bouncycastle : * : 1.54-|-1.60, 1.61, 1.62, 1.63,
1.64-|
|-deploymentadmin/itest-|-ch.qos.logback : logback-core-|-> 1.2.0-|
|-deploymentadmin/itest-|-ch.qos.logback : logback-classic-|-> 1.2.0-|
|-deploymentadmin/itest-|-org.ops4j.pax.url : pax-url-aether : 1.6.0-|-2.6.2-|
|-ipojo/manipulator/maven-ipojo-plugin-|-xerces-|-remove-|
|-ipojo/manipulator/maven-ipojo-plugin-|-org.codehaus.plexus : plexus-utils :
2.0.5-|-3.0.16-|
|-useradmin/itest-|-org.ops4j.pax.runner : pax-runner-no-jcl : 1.7.6-|-1.9.0-|
|ipojo/* (several subprojects)|ch.qos.logback : logback-core : 0.9.x|> 1.2.0|
|ipojo/* (several subprojects)|ch.qos.logback : logback-classic : 0.9.x|> 1.2.0|
|ipojo/distributions/ipojo-webconsole-quicktart|commons-fileupload :
commons-fileupload : 1.2.2|1.4|
|-scr-|-ch.qos.logback : logback-core : 0.9.29-|-> 1.2.0-|
|-scr-|-ch.qos.logback : logback-classic: 0.9.29-|-> 1.2.0-|
|-systemready-|-ch.qos.logback : logback-core : 1.0.13-|-> 1.2.0-|
|-systemready-|-ch.qos.logback : logback-classic : 1.0.13-|-> 1.2.0-|
|-tools/org.apache.felix.scr.ant-|-org.apache.ant : ant : 1.7.0-|-1.10.0,
1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.7.1, 1.8.4, 1.9.0,
1.9.1, 1.9.10, 1.9.11, 1.9.12, 1.9.13, 1.9.14, 1.9.2, 1.9.3, 1.9.4, 1.9.5,
1.9.6, 1.9.7, 1.9.8, 1.9.9-|
|-tools/maven-bundle-plugin-|-org.codehaus.plexus : plexus-utils :
3.0.10-|-3.3.0-|
|-tools/maven-bundle-plugin/src/it/embed-multiple-artifacts-|-org.apache.commons
: commons-compress : 1.10-|-1.19-|
|-tools/maven-bundle-plugin/src/it/dep-reduced-|-org.apache.commons :
commons-compress : 1.10-|-1.19-|
|examples/jaas/jdbc-h2|com.h2database : h2 : 1.3.171|1.4.198, 1.4.199, 1.4.200|
|-webconsole-plugins/subsystems-|-commons-fileupload : commons-fileupload :
1.3.2-|-1.4-|
|-.webconsole-plugins/deppack-|-commons-fileupload : commons-fileupload :
1.3.2-|-1.4-|
|-webconsole-plugins/script-console-|-commons-fileupload : commons-fileupload :
1.3.2-|-1.4-|
|-webconsole-|-commons-fileupload : commons-fileupload : 1.2.1-|-1.4-|
|-tools/maven-scr-plugin/src/it/*-|-org.apache.sling : org.apache.sling.api :
2.2.0-|-> 2.9.0-|
|-bundlerepository-|-org.codehaus.woodstox : woodstox-core-asl : 4.0.7-|-4.2.0,
4.2.1, 4.3.0, 4.4.0, 4.4.1-|
was (Author: cziegeler):
Thanks for reporting this - please note that in most cases these are just build
time dependencies not runtime dependencies. At runtime newer versions of the
libraries can be used. Nevertheless we should update the dependencies.
Next time, please create issues per sub project as this makes tracking them
much easier for users and developers.
||Project|Library|Suggest Update||
|-http/sslfilter-|-commons-collections : commons-collections : 3.2.1-|-3.2.2-|
|-http/whiteboard-|-commons-collections : commons-collections : 3.2.1-|-3.2.2-|
|-http/jetty-|-org.eclipse.jetty : 9.4.11.v20180605-|-9.4.26.v20200117-|
|-http/cometd-|-org.eclipse.jetty :* : 9.3.8.v20160314-|-9.4.26.v20200117-|
|-deploymentadmin/itest-|-org.bouncycastle : * : 1.54-|-1.60, 1.61, 1.62, 1.63,
1.64-|
|-deploymentadmin/itest-|-ch.qos.logback : logback-core-|-> 1.2.0-|
|-deploymentadmin/itest-|-ch.qos.logback : logback-classic-|-> 1.2.0-|
|-deploymentadmin/itest-|-org.ops4j.pax.url : pax-url-aether : 1.6.0-|-2.6.2-|
|ipojo/manipulator/maven-ipojo-plugin|org.ops4j.pax.runner : pax-runner-no-jcl
: 1.7.6|2.12.0|
|ipojo/manipulator/maven-ipojo-plugin|org.codehaus.plexus : plexus-utils :
2.0.5|3.0.16|
|ipojo/manipulator/maven-ipojo-ant.task|org.ops4j.pax.runner :
pax-runner-no-jcl : 1.7.6|2.12.0|
|ipojo/* (several subprojects)|ch.qos.logback : logback-core : 0.9.x|> 1.2.0|
|ipojo/* (several subprojects)|ch.qos.logback : logback-classic : 0.9.x|> 1.2.0|
|ipojo/distributions/ipojo-webconsole-quicktart|commons-fileupload :
commons-fileupload : 1.2.2|1.4|
|-scr-|-ch.qos.logback : logback-core : 0.9.29-|-> 1.2.0-|
|-scr-|-ch.qos.logback : logback-classic: 0.9.29-|-> 1.2.0-|
|-systemready-|-ch.qos.logback : logback-core : 1.0.13-|-> 1.2.0-|
|-systemready-|-ch.qos.logback : logback-classic : 1.0.13-|-> 1.2.0-|
|-tools/org.apache.felix.scr.ant-|-org.apache.ant : ant : 1.7.0-|-1.10.0,
1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.7.1, 1.8.4, 1.9.0,
1.9.1, 1.9.10, 1.9.11, 1.9.12, 1.9.13, 1.9.14, 1.9.2, 1.9.3, 1.9.4, 1.9.5,
1.9.6, 1.9.7, 1.9.8, 1.9.9-|
|-tools/maven-bundle-plugin-|-org.codehaus.plexus : plexus-utils :
3.0.10-|-3.3.0-|
|-tools/maven-bundle-plugin/src/it/embed-multiple-artifacts-|-org.apache.commons
: commons-compress : 1.10-|-1.19-|
|-tools/maven-bundle-plugin/src/it/dep-reduced-|-org.apache.commons :
commons-compress : 1.10-|-1.19-|
|examples/jaas/jdbc-h2|com.h2database : h2 : 1.3.171|1.4.198, 1.4.199, 1.4.200|
|-webconsole-plugins/subsystems-|-commons-fileupload : commons-fileupload :
1.3.2-|-1.4-|
|-.webconsole-plugins/deppack-|-commons-fileupload : commons-fileupload :
1.3.2-|-1.4-|
|-webconsole-plugins/script-console-|-commons-fileupload : commons-fileupload :
1.3.2-|-1.4-|
|-webconsole-|-commons-fileupload : commons-fileupload : 1.2.1-|-1.4-|
|-tools/maven-scr-plugin/src/it/*-|-org.apache.sling : org.apache.sling.api :
2.2.0-|-> 2.9.0-|
|-bundlerepository-|-org.codehaus.woodstox : woodstox-core-asl : 4.0.7-|-4.2.0,
4.2.1, 4.3.0, 4.4.0, 4.4.1-|
> Vulnerable dependencies in your project.(CVEs)
> ----------------------------------------------
>
> Key: FELIX-6230
> URL: https://issues.apache.org/jira/browse/FELIX-6230
> Project: Felix
> Issue Type: Bug
> Reporter: XuCongying
> Priority: Major
>
> Hi,
> I found some CVEs in the library dependencies, which may affect the security
> of your projects. To prevent potential risk it may cause, I suggest a library
> update. See details below:
> Vulnerable Library Version: commons-collections : commons-collections : 3.2.1
> CVE ID:
> [CVE-2015-6420](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420)
> Import Path: http/sslfilter/pom.xml, http/whiteboard/pom.xml
> Suggested Safe Versions: 20030418.083655, 20031027.000000, 20040102.233541,
> 20040616, 3.2.2
> Vulnerable Library Version: org.bouncycastle : bcpkix-jdk15on : 1.54
> CVE ID:
> [CVE-2017-13098](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13098),
>
> [CVE-2016-1000341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341),
>
> [CVE-2018-1000613](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613)
> Import Path: deploymentadmin/itest/pom.xml
> Suggested Safe Versions: 1.60, 1.61, 1.62, 1.63, 1.64
> Vulnerable Library Version: org.ops4j.pax.runner : pax-runner-no-jcl : 1.7.6
> CVE ID:
> [CVE-2012-5783](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783)
> Import Path: useradmin/itest/pom.xml
> Suggested Safe Versions: 1.9.0
> Vulnerable Library Version: xerces : xercesImpl : 2.9.1
> CVE ID:
> [CVE-2012-0881](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881),
> [CVE-2013-4002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002)
> Import Path: ipojo/manipulator/maven-ipojo-plugin/pom.xml,
> ipojo/manipulator/ipojo-ant-task/pom.xml
> Suggested Safe Versions: 2.12.0
> Vulnerable Library Version: org.eclipse.jetty : jetty-util : 9.4.11.v20180605
> CVE ID:
> [CVE-2019-10246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246),
>
> [CVE-2019-10241](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241)
> Import Path: http/jetty/pom.xml
> Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418,
> 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926,
> 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220,
> 9.4.26.v20200117
> Vulnerable Library Version: org.eclipse.jetty : jetty-util : 9.3.8.v20160314
> CVE ID:
> [CVE-2017-9735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9735),
>
> [CVE-2019-10246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246),
>
> [CVE-2019-10241](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241),
>
> [CVE-2018-12536](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536)
> Import Path: http/cometd/pom.xml
> Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418,
> 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926,
> 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220,
> 9.4.26.v20200117
> Vulnerable Library Version: org.apache.ant : ant : 1.7.0
> CVE ID:
> [CVE-2012-2098](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098)
> Import Path: tools/org.apache.felix.scr.ant/pom.xml
> Suggested Safe Versions: 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5,
> 1.10.6, 1.10.7, 1.7.1, 1.8.4, 1.9.0, 1.9.1, 1.9.10, 1.9.11, 1.9.12, 1.9.13,
> 1.9.14, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9
> Vulnerable Library Version: org.eclipse.jetty : jetty-client :
> 9.3.8.v20160314
> CVE ID:
> [CVE-2017-7657](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657),
>
> [CVE-2017-7658](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658),
> [CVE-2017-7656](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656)
> Import Path: http/cometd/pom.xml
> Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.11.v20180605,
> 9.4.12.RC0, 9.4.12.RC1, 9.4.12.RC2, 9.4.12.v20180830, 9.4.13.v20181111,
> 9.4.14.v20181114, 9.4.15.v20190215, 9.4.16.v20190411, 9.4.17.v20190418,
> 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926,
> 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220,
> 9.4.26.v20200117
> Vulnerable Library Version: org.codehaus.plexus : plexus-utils : 2.0.5
> CVE ID:
> [CVE-2017-1000487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000487)
> Import Path: ipojo/manipulator/maven-ipojo-plugin/pom.xml
> Suggested Safe Versions: 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21,
> 3.0.22, 3.0.23, 3.0.24, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0
> Vulnerable Library Version: org.codehaus.plexus : plexus-utils : 3.0.10
> CVE ID:
> [CVE-2017-1000487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000487)
> Import Path: tools/maven-bundle-plugin/pom.xml
> Suggested Safe Versions: 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21,
> 3.0.22, 3.0.23, 3.0.24, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0
> Vulnerable Library Version: ch.qos.logback : logback-core : 0.9.6
> CVE ID:
> [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
> Import Path: ipojo/runtime/core-it/ipojo-core-factory-test/pom.xml,
> ipojo/runtime/core-it/ipojo-core-handler-test/pom.xml...(The rest of the 34
> paths is hidden.)
> Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0,
> 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
> Vulnerable Library Version: ch.qos.logback : logback-core : 0.9.29
> CVE ID:
> [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
> Import Path: scr/pom.xml
> Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0,
> 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
> Vulnerable Library Version: ch.qos.logback : logback-core : 1.0.13
> CVE ID:
> [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
> Import Path: systemready/pom.xml
> Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0,
> 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
> Vulnerable Library Version: ch.qos.logback : logback-core : 1.1.3
> CVE ID:
> [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
> Import Path: deploymentadmin/itest/pom.xml
> Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0,
> 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
> Vulnerable Library Version: ch.qos.logback : logback-core : 0.9.20
> CVE ID:
> [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
> Import Path:
> ipojo/handler/eventadmin/eventadmin-handler-it/src/it/event-admin-it/pom.xml,
> ipojo/handler/eventadmin/eventadmin-handler-it/pom.xml,
> ipojo/handler/jmx/jmx-handler-it/src/it/jmx-it/pom.xml,
> ipojo/handler/jmx/jmx-handler-it/pom.xml,
> ipojo/handler/temporal/temporal-dependency-handler-it/src/it/temporal-it/pom.xml,
> ipojo/handler/temporal/temporal-dependency-handler-it/pom.xml,
> ipojo/handler/transaction/transaction-handler-it/src/it/transaction-it/pom.xml,
> ipojo/handler/transaction/transaction-handler-it/pom.xml,
> ipojo/handler/whiteboard/whiteboard-handler-it/src/it/whiteboard-it/pom.xml,
> ipojo/handler/whiteboard/whiteboard-handler-it/pom.xml
> Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0,
> 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
> Vulnerable Library Version: org.ops4j.pax.url : pax-url-aether : 1.6.0
> CVE ID:
> [CVE-2015-6748](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6748)
> Import Path: deploymentadmin/itest/pom.xml
> Suggested Safe Versions: 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2,
> 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4,
> 2.6.0, 2.6.1, 2.6.2
> Vulnerable Library Version: com.h2database : h2 : 1.3.171
> CVE ID:
> [CVE-2018-10054](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054),
>
> [CVE-2018-14335](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335)
> Import Path: examples/jaas/jdbc-h2/pom.xml
> Suggested Safe Versions: 1.4.198, 1.4.199, 1.4.200
> Vulnerable Library Version: org.eclipse.jetty : jetty-server :
> 9.4.11.v20180605
> CVE ID:
> [CVE-2019-10247](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247)
> Import Path: http/jetty/pom.xml
> Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418,
> 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.24.v20191120,
> 9.4.25.v20191220, 9.4.26.v20200117
> Vulnerable Library Version: commons-fileupload : commons-fileupload : 1.3.2
> CVE ID:
> [CVE-2016-1000031](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031)
> Import Path: webconsole-plugins/subsystems/pom.xml,
> webconsole-plugins/deppack/pom.xml, webconsole-plugins/script-console/pom.xml
> Suggested Safe Versions: 1.3.3, 1.4
> Vulnerable Library Version: commons-fileupload : commons-fileupload : 1.2.1
> CVE ID:
> [CVE-2013-2186](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186),
>
> [CVE-2016-3092](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092),
>
> [CVE-2014-0050](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050),
>
> [CVE-2016-1000031](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031),
> [CVE-2013-0248](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248)
> Import Path: webconsole/pom.xml
> Suggested Safe Versions: 1.3.3, 1.4
> Vulnerable Library Version: commons-fileupload : commons-fileupload : 1.2.2
> CVE ID:
> [CVE-2013-2186](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186),
>
> [CVE-2016-3092](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092),
>
> [CVE-2014-0050](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050),
>
> [CVE-2016-1000031](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031),
> [CVE-2013-0248](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248)
> Import Path: ipojo/distributions/ipojo-webconsole-quicktart/pom.xml
> Suggested Safe Versions: 1.3.3, 1.4
> Vulnerable Library Version: org.apache.commons : commons-compress : 1.10
> CVE ID:
> [CVE-2018-11771](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771)
> Import Path:
> tools/maven-bundle-plugin/src/it/embed-multiple-artifacts/pom.xml,
> tools/maven-bundle-plugin/src/it/dep-reduced/pom.xml
> Suggested Safe Versions: 1.19, 1.20
> Vulnerable Library Version: org.apache.sling : org.apache.sling.api : 2.2.0
> CVE ID:
> [CVE-2015-2944](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2944)
> Import Path: tools/maven-scr-plugin/src/it/basic-build-it/pom.xml,
> tools/maven-scr-plugin/src/it/external-annotations-it/pom.xml
> Suggested Safe Versions: 2.11.0, 2.12.0, 2.14.0, 2.14.2, 2.15.0, 2.16.0,
> 2.16.2, 2.16.4, 2.18.0, 2.18.2, 2.18.4, 2.2.2, 2.2.4, 2.20.0, 2.21.0, 2.22.0,
> 2.3.0, 2.4.0, 2.4.2, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0
> Vulnerable Library Version: ch.qos.logback : logback-classic : 0.9.6
> CVE ID:
> [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
> Import Path: ipojo/runtime/core-it/ipojo-core-factory-test/pom.xml,
> ipojo/runtime/core-it/ipojo-core-handler-test/pom.xml...(The rest of the 34
> paths is hidden.)
> Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0,
> 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
>
> Vulnerable Library Version: ch.qos.logback : logback-classic : 0.9.29
> CVE ID:
> [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
> Import Path: scr/pom.xml
> Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0,
> 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
> Vulnerable Library Version: ch.qos.logback : logback-classic : 1.0.13
> CVE ID:
> [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
> Import Path: systemready/pom.xml
> Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0,
> 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
> Vulnerable Library Version: ch.qos.logback : logback-classic : 1.1.3
> CVE ID:
> [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
> Import Path: deploymentadmin/itest/pom.xml
> Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0,
> 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
> Vulnerable Library Version: ch.qos.logback : logback-classic : 0.9.20
> CVE ID:
> [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
> Import Path:
> ipojo/handler/eventadmin/eventadmin-handler-it/src/it/event-admin-it/pom.xml,
> ipojo/handler/eventadmin/eventadmin-handler-it/pom.xml,
> ipojo/handler/jmx/jmx-handler-it/src/it/jmx-it/pom.xml,
> ipojo/handler/jmx/jmx-handler-it/pom.xml,
> ipojo/handler/temporal/temporal-dependency-handler-it/src/it/temporal-it/pom.xml,
> ipojo/handler/temporal/temporal-dependency-handler-it/pom.xml,
> ipojo/handler/transaction/transaction-handler-it/src/it/transaction-it/pom.xml,
> ipojo/handler/transaction/transaction-handler-it/pom.xml,
> ipojo/handler/whiteboard/whiteboard-handler-it/src/it/whiteboard-it/pom.xml,
> ipojo/handler/whiteboard/whiteboard-handler-it/pom.xml
> Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0,
> 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
> Vulnerable Library Version: org.codehaus.woodstox : woodstox-core-asl : 4.0.7
> CVE ID:
> [CVE-2013-2160](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2160)
> Import Path: bundlerepository/pom.xml
> Suggested Safe Versions: 4.2.0, 4.2.1, 4.3.0, 4.4.0, 4.4.1
> Vulnerable Library Version: org.bouncycastle : bcprov-jdk15on : 1.54
> CVE ID:
> [CVE-2016-1000346](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346),
>
> [CVE-2018-1000613](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613),
>
> [CVE-2015-6644](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6644),
>
> [CVE-2016-1000341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341),
>
> [CVE-2016-1000340](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000340),
>
> [CVE-2016-1000342](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342),
>
> [CVE-2016-1000344](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344),
>
> [CVE-2016-1000343](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000343),
>
> [CVE-2018-5382](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5382),
>
> [CVE-2016-1000339](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339),
>
> [CVE-2016-1000345](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345),
>
> [CVE-2016-1000352](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352),
>
> [CVE-2016-1000338](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338),
>
> [CVE-2017-13098](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13098)
> Import Path: deploymentadmin/itest/pom.xml
> Suggested Safe Versions: 1.60, 1.61, 1.62, 1.64
> Vulnerable Library Version: org.eclipse.jetty : jetty-http : 9.3.8.v20160314
> CVE ID:
> [CVE-2018-12545](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12545),
>
> [CVE-2017-7657](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657),
>
> [CVE-2017-7658](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658),
> [CVE-2017-7656](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656)
> Import Path: http/cometd/pom.xml
> Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.16.v20190411,
> 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813,
> 9.4.21.v20190926, 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120,
> 9.4.25.v20191220, 9.4.26.v20200117
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
