Hi Spiros, Thanks! I will look into that soon.
pon., 5 wrz 2022 o 10:58 spiros <agg...@novusnet.gr> napisał(a): > Hi , > This library used by 4 classes ( only the org.apache.xpath.CachedXPathAPI); > > 1. flex.messaging.config.ApacheXPathClientConfigurationParser.java > (common). > 2. flex.messaging.config.ApacheXPathServerConfigurationParser.java (core). > 3. flex.messaging.io.amf.MessageGenerator.java (core-test) > 4. flex.messaging.io.amfx.DeserializationConfirmation.java (core-test) > > > > The 1 and 2 classes add support to xml for java JRE 1.4 you can see the: > flex.messaging.config.ServicesDependencies.java (common) line 219 -236 > function static ConfigurationParser getConfigurationParser(String > className) for first. > And > flex.messaging.config.FlexConfigurationManager.java (core) line 105-118 > function private ConfigurationParser getConfigurationParser(ServletConfig > servletConfig) > > for the classes 3 and 4 (test) : > the class flex.messaging.config.XPathServerConfigurationParser.java > (common) is a guide to modify the code > > My suggestion : > -Remove support for JRE 1.4 -too old > -delete classes 1,2 > -modify classes 3,4 , > Optionally modify classes :flex.messaging.config.ServicesDependencies.java > and flex.messaging.config.FlexConfigurationManager.java > > > > Spiros > > > > > -----Original Message----- > From: Piotr Zarzycki [mailto:piotrzarzyck...@gmail.com] > Sent: Tuesday, August 30, 2022 9:57 AM > To: dev@flex.apache.org > Subject: Re: [EXTERNAL] BlazeDS release > > Maybe there is some replacement for both of that ? What do you think ? > > pt., 26 sie 2022 o 12:53 Piotr Zarzycki <piotrzarzyck...@gmail.com> > napisał(a): > > > Hi guys, > > > > Unfortunately both version of these plugins doesn't have newer versions. > > The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it. > > Any suggestions? > > > > Thanks, > > Piotr > > > > pon., 22 sie 2022 o 10:44 Piotr Zarzycki <piotrzarzyck...@gmail.com> > > napisał(a): > > > >> Hi Chris and All, > >> > >> I will try to upgrade dependencies myself this week. I will let you know > >> here how it goes. > >> > >> Thanks, > >> Piotr > >> > >> wt., 16 sie 2022 o 14:46 Christofer Dutz <christofer.d...@c-ware.de> > >> napisał(a): > >> > >>> Well … > >>> > >>> you might not, but a malicious attacker might. > >>> I think the last few releases of BlazeDS, that I did in the past were > >>> reacting to CVEs reported in the XML processing part of BlazeDS. Here, > for > >>> example, a malicious attacker could embed xml using xml-entities that > >>> referenced protected resources on the server and the BlazeDS server > just > >>> resolved them exposing this protected information. > >>> > >>> However, I think I remember I turned off the xml processing of external > >>> resources per default. I probably this problem would not apply in very > many > >>> cases. > >>> > >>> However, this seems to be a pretty new vulnerability, as I wasn’t > >>> getting it when I started the branch. So, I would advise to look, if a > >>> newer version is available and simply switch to that. If you need help > with > >>> that … give me a ping. Should be a matter of 5 minutes. > >>> > >>> Chris > >>> > >>> > >>> From: Tom Chiverton <t...@extravision.com> > >>> Date: Tuesday, 16 August 2022 at 12:20 > >>> To: dev@flex.apache.org <dev@flex.apache.org>, Brian Raymes < > >>> brian.ray...@teotech.com> > >>> Subject: Re: [EXTERNAL] BlazeDS release > >>> The issue there is when processing malicious XSLT. > >>> > >>> We don't pass untrusted XSLT to it ? > >>> > >>> Tom > >>> > >>> On 15/08/2022 22:36, Brian Raymes wrote: > >>> > Seems like those dependencies need to be replaced due to > >>> vulnerabilities, as the Apache Xalan project has been retired: > >>> > > >>> > https://github.com/advisories/GHSA-9339-86wc-4qgf > >>> > > >>> > > >>> > > >>> > -----Original Message----- > >>> > From: Piotr Zarzycki <piotrzarzyck...@gmail.com> > >>> > Sent: Sunday, August 14, 2022 3:26 AM > >>> > To: dev@flex.apache.org > >>> > Subject: [EXTERNAL] BlazeDS release > >>> > > >>> > Hi All, > >>> > > >>> > In this thread I will be reporting updates related to release of > >>> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy > >>> module from upcoming release. Please let me know in this thread > whether you > >>> have anything against it. > >>> > > >>> > Meanwhile I have following error on the console during build - Anyone > >>> know what that means ? > >>> > > >>> > One or more dependencies were identified with known vulnerabilities > in > >>> > flex-messaging-common: > >>> > > >>> > > >>> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, > >>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 > >>> > > >>> > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, > >>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 > >>> > > >>> > > >>> > > >>> > See the dependency-check report for more details. > >>> > > >>> > > >>> > > >>> > [*INFO*] > >>> > > >>> > *------------------------------------------------------------------------* > >>> > > >>> > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* > >>> > > >>> > [*INFO*] > >>> > > >>> > [*INFO*] Apache Flex - BlazeDS .............................. > >>> > *SUCCESS* [ 5.914 > >>> > s] > >>> > > >>> > [*INFO*] flex-messaging-archetypes .......................... > >>> > *SUCCESS* [ 1.409 > >>> > s] > >>> > > >>> > [*INFO*] blazeds-spring-boot-example-archetype .............. > >>> > *SUCCESS* [ 4.430 > >>> > s] > >>> > > >>> > [*INFO*] flex-messaging-common .............................. > >>> > *FAILURE* [ 2.155 > >>> > s] > >>> > > >>> > [*INFO*] flex-messaging-core ................................ > *SKIPPED* > >>> > > >>> > [*INFO*] flex-messaging-proxy ............................... > *SKIPPED* > >>> > > >>> > [*INFO*] flex-messaging-remoting ............................ > *SKIPPED* > >>> > > >>> > [*INFO*] flex-messaging-opt ................................. > *SKIPPED* > >>> > > >>> > [*INFO*] flex-messaging-opt-tomcat .......................... > *SKIPPED* > >>> > > >>> > [*INFO*] flex-messaging-opt-tomcat-base ..................... > *SKIPPED* > >>> > > >>> > [*INFO*] > >>> > > >>> > *------------------------------------------------------------------------* > >>> > > >>> > [*INFO*] *BUILD FAILURE* > >>> > > >>> > [*INFO*] > >>> > > >>> > *------------------------------------------------------------------------* > >>> > > >>> > [*INFO*] Total time: 14.115 s > >>> > > >>> > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00 > >>> > > >>> > [*INFO*] > >>> > > >>> > *------------------------------------------------------------------------* > >>> > > >>> > [*ERROR*] Failed to execute goal > >>> > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project > >>> > flex-messaging-common: > >>> > > >>> > [*ERROR*] > >>> > > >>> > [*ERROR*] *One or more dependencies were identified with > >>> vulnerabilities that have a CVSS score greater than or equal to '4.0': > * > >>> > > >>> > [*ERROR*] > >>> > > >>> > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)* > >>> > > >>> > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)* > >>> > > >>> > [*ERROR*] > >>> > > >>> > [*ERROR*] *See the dependency-check report for more details.* > >>> > > >>> > Thanks, > >>> > >>> ______________________________________________________________________ > >>> This email has been scanned by the Symantec Email Security.cloud > service. > >>> For more information please visit http://www.symanteccloud.com > >>> ______________________________________________________________________ > >>> > >> > >> > >> -- > >> > >> Piotr Zarzycki > >> > > > > > > -- > > > > Piotr Zarzycki > > > > > -- > > Piotr Zarzycki > > -- Piotr Zarzycki -- Piotr Zarzycki
