Hi Chris and All, I will try to upgrade dependencies myself this week. I will let you know here how it goes.
Thanks, Piotr wt., 16 sie 2022 o 14:46 Christofer Dutz <christofer.d...@c-ware.de> napisał(a): > Well … > > you might not, but a malicious attacker might. > I think the last few releases of BlazeDS, that I did in the past were > reacting to CVEs reported in the XML processing part of BlazeDS. Here, for > example, a malicious attacker could embed xml using xml-entities that > referenced protected resources on the server and the BlazeDS server just > resolved them exposing this protected information. > > However, I think I remember I turned off the xml processing of external > resources per default. I probably this problem would not apply in very many > cases. > > However, this seems to be a pretty new vulnerability, as I wasn’t getting > it when I started the branch. So, I would advise to look, if a newer > version is available and simply switch to that. If you need help with that > … give me a ping. Should be a matter of 5 minutes. > > Chris > > > From: Tom Chiverton <t...@extravision.com> > Date: Tuesday, 16 August 2022 at 12:20 > To: dev@flex.apache.org <dev@flex.apache.org>, Brian Raymes < > brian.ray...@teotech.com> > Subject: Re: [EXTERNAL] BlazeDS release > The issue there is when processing malicious XSLT. > > We don't pass untrusted XSLT to it ? > > Tom > > On 15/08/2022 22:36, Brian Raymes wrote: > > Seems like those dependencies need to be replaced due to > vulnerabilities, as the Apache Xalan project has been retired: > > > > https://github.com/advisories/GHSA-9339-86wc-4qgf > > > > > > > > -----Original Message----- > > From: Piotr Zarzycki <piotrzarzyck...@gmail.com> > > Sent: Sunday, August 14, 2022 3:26 AM > > To: dev@flex.apache.org > > Subject: [EXTERNAL] BlazeDS release > > > > Hi All, > > > > In this thread I will be reporting updates related to release of > BlazeDS. I looked into Chris's branch and I would like to exclude Proxy > module from upcoming release. Please let me know in this thread whether you > have anything against it. > > > > Meanwhile I have following error on the console during build - Anyone > know what that means ? > > > > One or more dependencies were identified with known vulnerabilities in > > flex-messaging-common: > > > > > > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, > > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 > > > > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, > > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 > > > > > > > > See the dependency-check report for more details. > > > > > > > > [*INFO*] > > > *------------------------------------------------------------------------* > > > > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* > > > > [*INFO*] > > > > [*INFO*] Apache Flex - BlazeDS .............................. > > *SUCCESS* [ 5.914 > > s] > > > > [*INFO*] flex-messaging-archetypes .......................... > > *SUCCESS* [ 1.409 > > s] > > > > [*INFO*] blazeds-spring-boot-example-archetype .............. > > *SUCCESS* [ 4.430 > > s] > > > > [*INFO*] flex-messaging-common .............................. > > *FAILURE* [ 2.155 > > s] > > > > [*INFO*] flex-messaging-core ................................ *SKIPPED* > > > > [*INFO*] flex-messaging-proxy ............................... *SKIPPED* > > > > [*INFO*] flex-messaging-remoting ............................ *SKIPPED* > > > > [*INFO*] flex-messaging-opt ................................. *SKIPPED* > > > > [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED* > > > > [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED* > > > > [*INFO*] > > > *------------------------------------------------------------------------* > > > > [*INFO*] *BUILD FAILURE* > > > > [*INFO*] > > > *------------------------------------------------------------------------* > > > > [*INFO*] Total time: 14.115 s > > > > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00 > > > > [*INFO*] > > > *------------------------------------------------------------------------* > > > > [*ERROR*] Failed to execute goal > > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project > > flex-messaging-common: > > > > [*ERROR*] > > > > [*ERROR*] *One or more dependencies were identified with vulnerabilities > that have a CVSS score greater than or equal to '4.0': * > > > > [*ERROR*] > > > > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)* > > > > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)* > > > > [*ERROR*] > > > > [*ERROR*] *See the dependency-check report for more details.* > > > > Thanks, > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > -- Piotr Zarzycki
