The issue there is when processing malicious XSLT. We don't pass untrusted XSLT to it ?
Tom On 15/08/2022 22:36, Brian Raymes wrote:
Seems like those dependencies need to be replaced due to vulnerabilities, as the Apache Xalan project has been retired: https://github.com/advisories/GHSA-9339-86wc-4qgf -----Original Message----- From: Piotr Zarzycki <piotrzarzyck...@gmail.com> Sent: Sunday, August 14, 2022 3:26 AM To: dev@flex.apache.org Subject: [EXTERNAL] BlazeDS release Hi All, In this thread I will be reporting updates related to release of BlazeDS. I looked into Chris's branch and I would like to exclude Proxy module from upcoming release. Please let me know in this thread whether you have anything against it. Meanwhile I have following error on the console during build - Anyone know what that means ? One or more dependencies were identified with known vulnerabilities in flex-messaging-common: serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 See the dependency-check report for more details. [*INFO*] *------------------------------------------------------------------------* [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* [*INFO*] [*INFO*] Apache Flex - BlazeDS .............................. *SUCCESS* [ 5.914 s] [*INFO*] flex-messaging-archetypes .......................... *SUCCESS* [ 1.409 s] [*INFO*] blazeds-spring-boot-example-archetype .............. *SUCCESS* [ 4.430 s] [*INFO*] flex-messaging-common .............................. *FAILURE* [ 2.155 s] [*INFO*] flex-messaging-core ................................ *SKIPPED* [*INFO*] flex-messaging-proxy ............................... *SKIPPED* [*INFO*] flex-messaging-remoting ............................ *SKIPPED* [*INFO*] flex-messaging-opt ................................. *SKIPPED* [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED* [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED* [*INFO*] *------------------------------------------------------------------------* [*INFO*] *BUILD FAILURE* [*INFO*] *------------------------------------------------------------------------* [*INFO*] Total time: 14.115 s [*INFO*] Finished at: 2022-08-14T12:24:30+02:00 [*INFO*] *------------------------------------------------------------------------* [*ERROR*] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check *(default)* on project flex-messaging-common: [*ERROR*] [*ERROR*] *One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4.0': * [*ERROR*] [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)* [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)* [*ERROR*] [*ERROR*] *See the dependency-check report for more details.* Thanks,
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
