On 19/12/2025 13:48, Colm O hEigeartaigh wrote:
Hi Andy,
The question I have is that if our application has a list of jars like:
jena-base-4.2.0.jar,
jena-core-4.2.0.jar,
jena-iri-4.2.0.jar,
etc.
Should they be flagged or not against either of these two CVEs? Which specific
packages should the CVEs be updated with, so that only the impacted jars are
flagged by CVE scans?
org.apache.jena.jena-fuseki-webapp
jena-fuseki-webapp-5.4.0.jar
org.apache.jena.jena-fuseki-fulljar
jena-fuseki-fulljar-5.4.0.jar
org.apache.jena.jena-fuseki-main
jena-fuseki-main-5.4.0.jar
org.apache.jena.jena-fuseki-server
jena-fuseki-server-5.4.0.jar
versions up to 5.4.0.
Colm.
On 2025/12/17 21:50:41 Andy Seaborne wrote:
On 17/12/2025 16:29, Colm O hEigeartaigh wrote:
Hi Andy,
I believe for https://github.com/advisories/GHSA-jq2c-m8gg-mqcm it was able to
determine the impacted maven packages by looking at the fixes in
https://github.com/apache/jena/commit/03c5265910aa3a27907bf54f6b4aaae3409afa4f.
It didn't look hard enough.
The fix is in two places. The other is that commit's parent.
(two classes of the same name, different packages)
There were two code lines at that version. old world/new world migration.
Problem 1:
This does not explain jena-fuseki which is a not a jar file. It is the
common maven parent but it does not contain any code and it's not a
runtime dependence. packing=pom.
For https://github.com/advisories/GHSA-xg9p-p463-3qjp if you can clarify what
are the impacted packages I will open a Pr to GitHub to update the package
information. Were the fixes limited to one or more maven modules?
The delivery of Fuseki is also involved.
Old world code:
org.apache.jena.jena-fuseki-webapp -- binary jar file and sources.jar
org.apache.jena.jena-fuseki-war -- a war file.
org.apache.jena.jena-fuseki-fulljar -- a shaded jar - not in 5.5.0
Current world code:
org.apache.jena.jena-fuseki-main -- binary jar file and sources.jar
org.apache.jena.jena-fuseki-server -- a shaded jar file,
different to the one above.
apache-jena-fuseki - a zip/tar.gz file
And the source-release
org.apache.jena.jena
Problem 2:
NB being shaded jars, the uploaded POM does not refer to the dependencies.
Still don't know where jena-core comes into it.
Andy
CVE-2025-49656 was reported to the project.
CVE-2025-50151 was discovered by the project.
Colm.
On 2025/12/17 15:34:23 Andy Seaborne wrote:
Colm,
I don't know where github gets the package information. It's not in the CVE.
Do you know how the github advisories are produced?
As maven artifacts:
org.apache.jena:jena is the source release.
org.apache.jena:jena-fuseki is the parent POM for Fuseki.
Not sure where jena-core comes in. The issues are not in jena-core.
jena-core is just one jar that makes up a release. jena-core on its own
doesn't do much and it's RDF readers are just enough to make the tests work.
The project makes one release per version with all the binaries - the
source release includes source for everything. No distinction between
library use or a Fuseki server.
Both CVEs are related to Fuseki functionality but running a mixture of
jars from different versions is not supported nor tested.
org.apache.jena:apache-jena-libs is the POM that brings in the jars for
general library use.
org.apache.jena:apache-jena-fuseki is the usual Fuseki download zip.
org.apache.jena:jena-fuseki-server is the shaded jar.
Andy
On 17/12/2025 12:09, Colm O hEigeartaigh wrote:
Hi,
Looking at https://jena.apache.org/security/advisories.html both recent CVEs
refer to Jena Fuseki:
- CVE-2025-50151 affects Jena Fuseki in versions up to 5.4.0.
- CVE-2025-49656 affects Jena Fuseki in versions up to 5.4.0.
The GitHub Advisory DB for the latter
(https://github.com/advisories/GHSA-jq2c-m8gg-mqcm) references
org.apache.jena:jena-fuseki as the impacted package. However for the first CVE
it references (https://github.com/advisories/GHSA-xg9p-p463-3qjp)
org.apache.jena:jena.
This is leading to tools like Trivy finding no vulnerability in jena-core, as
the advisory is only matched against the Jena jar. I'm not sure if it should
match against only jena-fuseki or all Jena jars.
Please review what are the impacted packages are for both CVEs.
Thanks,
Colm.
